On 07/22/2014 11:26 AM, Michael Richardson wrote:
Ted Lemon <[email protected]> wrote:
>> It is a switch to request integrity only. Or to only allow integrity
>> only. Either party MUST be able to reject an integrity only
>> negotiation.
> That's not good enough. It should be the case that integrity-only
> negotiations are rejected by default, unless there's no protocol
> requirement for confidentiality. If there is no need for
> confidentiality, then the answer to the DISCUSS should be "there is no
> need for confidentiality."
All of those knobs, correctly labelled, are all there already. Really.
The code has the knobs, but Ted's question is does the spec have the knobs.
Something like
"default transform lists MUST NOT provide any of the integrity only
suites. These MAY be offered only by explicit configuration."
This discussion is about NULL which is quite a misnomer...
But back in the days.........
If you look at the HIP exchange, R1 contains the offered list, and I2
either contains the requested suite, or a counter list. Both are signed
(in HIP-BEX) and thus can only be spoofed for anonymous HITs.
_______________________________________________
Hipsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/hipsec
