Raj Singh writes: > I agree with Tero explanation and Valery objection as well. > There is discrepancy between 3.5 and 4.
Not really. Not all requirements needs to be in one place. One place can say that XXX is required and another place can say that also YYY is required, but only if doing ZZZ. > 1. Section 4 mandates certificates but section 3.5 doesn't. Section 3.5 does not and should not say anything about certificates, it just lists which ID types there are which of them needs to be supported. > 2. Its seen in practice that some implementation uses IP addresses as > default ID even though they are > using certificate based authentication or they are behind NAT. And this is allowed and section 3.5 sees that ID_IPV4_ADDR support is madantory (and ID_IPV6_ADDR is mandatory for IPv6-capable implementations). Nothing in the section 4 claims otherwise, so they are still mandatory to accept from the other end. On the other hand section 4 does not require ID_IPV*_ADDR address to be one of those which can be configured to be used and it adds one more requirement compared to what section 3.5 said i.e. it says that if PKIX certifiates are used then implementations need to also needto be able to use ID_DER_ASN1_DN. > This should is NO use as explained by Tero and should be discouraged in > draft and proper ID types i.e. ID_DER_ASN1_DN for > certificate based authentication should be encouraged. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec