Re: [IPsec] Fw: New Version Notification for draft-smyslov-ipsecme-ikev2-null-auth-01.txt

Yaron Sheffer <> Tue, 04 March 2014 21:15 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 19CE01A02F8 for <>; Tue, 4 Mar 2014 13:15:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QyEiRTcCe_rv for <>; Tue, 4 Mar 2014 13:15:21 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c03::22b]) by (Postfix) with ESMTP id 7A2021A02D6 for <>; Tue, 4 Mar 2014 13:15:21 -0800 (PST)
Received: by with SMTP id t61so126832wes.16 for <>; Tue, 04 Mar 2014 13:15:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=97J+OrqOzxiPadxroIs9B2RPzG6Z0zt4kshgiEknruM=; b=SAy+eu0U6cvmFJ925+oAy58LKttNVyLpAKIUGHznW9SC1xrnqc5ntr3eajStb9ZW+i i5f51TtU4QkfaCo9en64rdqQr+dXkntVodkOgY4SczYttcw0e3KN099H6GmiinMWqAjK LdUn1M0Cb1xkKeGB0V3vubHEzfYVgQBc0YeB95ykfWPi59vIUVHmcbhho5QtO6bor+Nx EkIn/GGtaBAGwtB4u/tkvkfgP+KT3l3NEPQSWtyvyYI6L2c6G9pK4Wo+VMUBQMO+/bvW JOmmENyD3NpZL/t2gnelFhIHmCCcHZxTJAXioku7Kyt6viWKDUyPITSwtkLKBudtIYS+ s5Tw==
X-Received: by with SMTP id ep6mr2717224wjd.76.1393967717655; Tue, 04 Mar 2014 13:15:17 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id ci4sm621282wjc.21.2014. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 04 Mar 2014 13:15:17 -0800 (PST)
Message-ID: <>
Date: Tue, 04 Mar 2014 23:15:14 +0200
From: Yaron Sheffer <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Tero Kivinen <>, Paul Wouters <>
References: <B1B032692C7045B7AEA06166F8AC9B9F@buildpc> <> <01FD5F789A0A406F9CCFC3033EA6721B@buildpc> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Cc: " WG" <>, Valery Smyslov <>
Subject: Re: [IPsec] Fw: New Version Notification for draft-smyslov-ipsecme-ikev2-null-auth-01.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 04 Mar 2014 21:15:24 -0000

> The second use case does not require any anonymity:
>     o  Two peers without any trust relationship want to get some level of
>        security in their communications.  Without trust relationship they
>        cannot prevent active Man-in-the-Middle attacks, but it is still
>        possible to prevent passive eavesdropping with opportunistic
>        encryption.  In this case they have to perform unauthenticated key
>        exchange.
> Actually even the first use case, having non-authenticated identity
> would still be useful in some cases. For example if I will protect my
> home server with null-authenticated IPsec, people most likely will
> still want to verify my servers authentication, and they might want to
> provide meaningful unauthenticated ID, even when it is not needed. The
> meaningful ID might be something that is not meaningful in global
> context, but it might be meaningful for me, i.e. just nickname or
> similar.
> If they want to do something where I would require them to do
> authentication then I would most likely still use my (self signed)
> certificate based authentication for server (with certificate pinning
> and TLSA records in DNSSEC signed zone), and they would use similar
> locally meaningful ID and raw public key to authenticate themselves to
> my server.
> I.e. I will see the upgrade path from null-auth -> raw public keys
> very logical in small private use setups.

And once we start using raw public keys (or self signed certs), we can 
use out-of-band means to upgrade the identity from "claimed but 
unauthenticated" to "authenticated". This is what we're proposing in