On Fri, Jan 22, 2010 at 5:15 PM, Tero Kivinen <kivi...@iki.fi> wrote:
>
> Raj Singh writes:
> > I agree with Tero explanation and Valery objection as well.
> > There is discrepancy between 3.5 and 4.
>
> Not really. Not all requirements needs to be in one place. One place
> can say that XXX is required and another place can say that also YYY
> is required, but only if doing ZZZ.
>
> > 1. Section 4 mandates certificates but section 3.5 doesn't.
>
> Section 3.5 does not and should not say anything about certificates,
> it just lists which ID types there are which of them needs to be
> supported.
Agree. But it should mandate ID_DER_ASN1_DN which it doesn't.
>
> > 2. Its seen in practice that some implementation uses IP addresses as
> > default ID even though they are
> > using certificate based authentication or they are behind NAT.
>
> And this is allowed and section 3.5 sees that ID_IPV4_ADDR support is
> madantory (and ID_IPV6_ADDR is mandatory for IPv6-capable
> implementations).
>
> Nothing in the section 4 claims otherwise, so they are still mandatory
> to accept from the other end.
>
> On the other hand section 4 does not require ID_IPV*_ADDR address to
> be one of those which can be configured to be used and it adds one
> more requirement compared to what section 3.5 said i.e. it says that
> if PKIX certifiates are used then implementations need to also needto
> be able to use ID_DER_ASN1_DN.
To put my point simply:
1. Section 3.5:
-----------------
Two implementations will interoperate only if each can generate a
type of ID acceptable to the other. To assure maximum
interoperability, implementations MUST be configurable to send at
least one of ID_IPV4_ADDR, ID_FQDN, ID_RFC822_ADDR, or ID_KEY_ID, and
MUST be configurable to accept all of these types.
-------------------
Here we are mandating that an implementation MUST be able to configure to
accept 4 ID types with types without any mention of ID_DER_ASN1_DN.
Section 4:
---------------
For an implementation to be called conforming to this specification,
it MUST be possible to configure it to accept the following:
- PKIX Certificates containing and signed by RSA keys of size 1024
or 2048 bits, where the ID passed is any of ID_KEY_ID, ID_FQDN,
ID_RFC822_ADDR, or ID_DER_ASN1_DN.
----------------
Here we are also mandating than an implementaion MUST be able to configure
to accept ID_DER_ASN1_DN.
This is what i was referring to that there is some discrepancy between
3.5 and 4.
As PKIX support is MUST for implementations of ikev2bis, we can't say that
we are adding one more requirement if PKIX is supported.
>
> > This should is NO use as explained by Tero and should be discouraged in
> > draft and proper ID types i.e. ID_DER_ASN1_DN for
> > certificate based authentication should be encouraged.
> --
> kivi...@iki.fi
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
