Re: [IPsec] Fw: New Version Notification for draft-smyslov-ipsecme-ikev2-null-auth-01.txt

Yaron Sheffer <> Mon, 03 March 2014 23:04 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 49B431A027E for <>; Mon, 3 Mar 2014 15:04:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NPcfGz9-eAmV for <>; Mon, 3 Mar 2014 15:04:45 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c03::234]) by (Postfix) with ESMTP id F07CA1A0269 for <>; Mon, 3 Mar 2014 15:04:44 -0800 (PST)
Received: by with SMTP id p61so2826127wes.25 for <>; Mon, 03 Mar 2014 15:04:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=conpgL0rqIY3LnZzmDxVEqcIOpNThy0xc7ZF5hrAqmo=; b=D/KheFXw2ygR+XIt8LB81gtHj2/rEEPTr5X6/j8WmrG/X2QWO+G4v/qX/2LN0xiv2z YADBHDSQx6/rcNZhkT4/K3Pb8+FPqg90N/GBikijH+gnlgKQRDoMvz/J9bSCmlZmMMQt FYp65bQaZ+Me97hTsWhco1PAoYET5qIKD5KhUdJB8D1OTKWNCsYrP7y7b2dXhgwam2N0 i4a90nPL7/RX1DaUyjzAvxbwWSV7UnQHlZNtWSaqW12D1LANgfkY0RculdJjo//PCbft /rDP/nFXBgpehtfBanUMSZX5zBMRmDdcd3c8Rg/GFBiMMYRTnUoN3Npcp9H2R70iWHJo n88A==
X-Received: by with SMTP id ch8mr22279011wjb.13.1393887881403; Mon, 03 Mar 2014 15:04:41 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id xt1sm42540470wjb.17.2014. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 03 Mar 2014 15:04:41 -0800 (PST)
Message-ID: <>
Date: Tue, 04 Mar 2014 01:04:39 +0200
From: Yaron Sheffer <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Paul Wouters <>, Tero Kivinen <>
References: <B1B032692C7045B7AEA06166F8AC9B9F@buildpc> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Cc: " WG" <>, Valery Smyslov <>
Subject: Re: [IPsec] Fw: New Version Notification for draft-smyslov-ipsecme-ikev2-null-auth-01.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 03 Mar 2014 23:04:47 -0000

Hi Paul,

Quoting from the abstract: "This method may be used to preserve 
anonymity or in situations, where no trust relationship exists between 
the parties." You seem to assume that all clients want to be anonymous. 
IMHO "unauthenticated" does not necessarily imply "anonymous". When I 
talk to someone on the plane and they tell me their name, they are not 
authenticated and they may well be lying. But in general, they are not 
anonymous either.


On 03/04/2014 12:57 AM, Paul Wouters wrote:
> On Mon, 3 Mar 2014, Tero Kivinen wrote:
>> It would be better to say that if you are sending empty ID payload,
>> you msut use ID_KEY_ID type which already allows any data, including
>> empty.
> That could work, if we really don't want to allow this document to
> change the ID payload from mandatory to optional (which I would prefer)
>> Actually I now noticed you changed the "SHOULD be ignored" to "MUST be
>> ignored", and I think that is again bad idea. I think logging and
>> auditing the ID for problem solving purposes is good idea even if it
>> does not have any meaning for the authentication. I.e. at least then I
>> can contact helpdesk and say that my NULL authentication connection to
>> server failed, and I have no idea why, can you help. Oh, my ID
>> payload had ID_KEY_ID 0324234mkdsff43r5, if that helps you to find it
>> from your logs...
> I disagree strongly. The point here is that the client is anonymous. We
> should not add things that can be traced to a user. Someone will badly
> abuse this "feature" like you are suggesting for "diagnostics" and
> inadvertly compromise the client's anonimity.
> Paul
> _______________________________________________
> IPsec mailing list