[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEv2 SA rekeying - naming an initial SA
At 15:42 -0700 8/25/03, Nicolas Williams wrote:
>On Mon, Aug 25, 2003 at 08:39:36AM -0400, Stephen Kent wrote:
>> At 8:39 -0700 8/22/03, Nicolas Williams wrote:
>> >If there will never be anon IPsec then the AUTH values will do - but I'd
>> >like to not discount the possibility that there might be an anon IPsec
>> >formulation in the future.
>>
>> Any admin managing an IPsec environment has the ability to issue
>> credentials that are effectively anonymous, and that allows the
>> effect of anonymous use of IPsec, in a given context. Unless the WG
>> changes direction in a significant way, to support unauthenticated
>> IPsec, then it would be inappropriate to use the possibility of this
>> change as an input in deciding on how to make a decision re this IKE
>> v2 authentication issue.
>
>Sure, but this does not dispose of the issue - you're merely rejecting
>one rationale for specifying a "session ID" as anything other than the
>AUTH values. But then, if the WG ignores the session ID issue we can
>default to using the AUTH values as such, since they are bound to the
>KE.
I'm rejecting an argument for why we should change the specs to
accommodate a function that we can already provide, irrespective of
the discussion about session IDs.
Steve