IETF Logo Mail Archive

Re: [IPsec] WG Last Call on "The NULL Authentication Method in IKEv2 Protocol" draft-smyslov-ipsecme-ikev2-null-auth

"Graham Bartlett (grbartle)" <grbartle@cisco.com> Fri, 23 January 2015 16:28 UTC

Return-Path: <grbartle@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA71B1A9121 for <ipsec@ietfa.amsl.com>; Fri, 23 Jan 2015 08:28:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id biObSsYwkRaK for <ipsec@ietfa.amsl.com>; Fri, 23 Jan 2015 08:28:22 -0800 (PST)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 440C71A8BC2 for <ipsec@ietf.org>; Fri, 23 Jan 2015 08:28:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6448; q=dns/txt; s=iport; t=1422030502; x=1423240102; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=claxjj15jj7aOjWYFo3x5D/jC3yxhIFvhDC1ICi8XdQ=; b=ILHU6pfsiWptjPqFOLIdNjggudm8SwHt8ENPfpJucqPs0ah8NYJ/bxrg j8L+BbkCDlxeT1GupPFluhN3nfUgZnBRIUQ8VvuiXixYiU1B9AKCYE9UL Q9wBbHP4pFLlYORPRqqWO/hxUZ3nGQyAUDaFg794W0ngM5y7ubX+2bUC4 U=;
X-Files: smime.p7s : 3708
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AqcFAA92wlStJV2U/2dsb2JhbABagmQigSoExCqIFgKBF0MBAQEBAX2EDQEBBHkQAgEIOwsCMCUCBA4FDogeAdIwAQEBAQEBAQEBAQEBAQEBAQEBAQEYjxYBEAE1GweEKQWOZoFSgSmGHpI1IoIygTxvgQQIFyJ+AQEB
X-IronPort-AV: E=Sophos;i="5.09,454,1418083200"; d="p7s'?scan'208";a="116982012"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by alln-iport-3.cisco.com with ESMTP; 23 Jan 2015 16:28:21 +0000
Received: from xhc-aln-x14.cisco.com (xhc-aln-x14.cisco.com [173.36.12.88]) by rcdn-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id t0NGSLBs022290 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 23 Jan 2015 16:28:21 GMT
Received: from xmb-aln-x13.cisco.com ([fe80::5404:b599:9f57:834b]) by xhc-aln-x14.cisco.com ([173.36.12.88]) with mapi id 14.03.0195.001; Fri, 23 Jan 2015 10:28:21 -0600
From: "Graham Bartlett (grbartle)" <grbartle@cisco.com>
To: Paul Wouters <paul@nohats.ca>
Thread-Topic: [IPsec] WG Last Call on "The NULL Authentication Method in IKEv2 Protocol" draft-smyslov-ipsecme-ikev2-null-auth
Thread-Index: AQHQLDEvWj2UvEEBVE2YSG7LuRawAJy41OiAgAUqD8OAAQo5gIAAERKAgA9FIQA=
Date: Fri, 23 Jan 2015 16:28:20 +0000
Message-ID: <D0E8103C.38B87%grbartle@cisco.com>
References: <5E3BDAA5-B0C8-4004-8FFE-25B91199D7EC@vpnc.org> <D0D61010.3756D%grbartle@cisco.com> <363A367E1CF64C4C98586DC57F1AC987@buildpc> <D0DB345D.37DEF%grbartle@cisco.com> <alpine.LFD.2.10.1501131803240.3286@bofh.nohats.ca>
In-Reply-To: <alpine.LFD.2.10.1501131803240.3286@bofh.nohats.ca>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.6.141106
x-originating-ip: [10.55.146.101]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3504875299_26366303"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/Pn_0SQ5Ra6Hser1uqa3iI7MxOW0>
Cc: "ipsec@ietf.org WG" <ipsec@ietf.org>
Subject: Re: [IPsec] WG Last Call on "The NULL Authentication Method in IKEv2 Protocol" draft-smyslov-ipsecme-ikev2-null-auth
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jan 2015 16:28:28 -0000

Hi Paul


Sorry for the late reply. Hopefully the following is more clear?

When designing systems which will provide connectivity for
non-authenticated users, the system SHOULD be designed with the capacity
to support not only the maximum intended number of peers, but also include
an additional number of sessions which are created due to malicious or
erroneous behaviour. This safety margin will allow a system to still
operate safely under load until it is exceeded.


On 13/01/2015 23:16, "Paul Wouters" <paul@nohats.ca> wrote:

>>
>>What I was alluding to is covered now in section 3.2 (and in Paul's
>>email). However I think some final words at the end of 3.2 such as 'For
>>this reason systems should be designed to accommodate legitimate and
>>non-legitimate non-authenticated peers', would then make this message
>>crystal clear.
>
>Can you propose text? I personally find "legitimate and non-legitimate
>non-authenticated peers" very unclear. I don't think a server can ever
>tell those two aparts based on IKE.

v2.23.0 | Report a Bug | By Email