And this not the only contradiction between RFC5996 and RFC4945 -
the latter requires ID_IPV*_ADDR to match source IP address of IKE
packet by default, while the former explicitely allows not to do it
in any case.
RFC4945 requires that implementations "MUST be capable of verifying"
the ID_IPV*_ADDR and IP-address of the packet. RFC5996 says that IKEv2
does not require such check. There is no contradiction there.
RFC4945 requires (MUST) this check to be done by default, treats mismatch as
an error and allows (MAY) to skip this check only for interoperability
purpose.
Probably not contradiction, but some inconsistency, in my opinion.
Yes adding reference to the RFC4945 might be useful, it was not done
in the RFC4306 as the RFC4945 was not ready at that time. Most likely
we should have added it when doing RFC5996 but we didn't.
Perhaps adding reference to the RFC4945 at the end of section 3.5.
Identification Payloads in the RFC5996bis?
Yes, and some explanation text about inconsistencies between the approaches
to match ID to certificate.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
