BTW, we have 3 possibility for inidicating "anonymous" ID.
1. Don't send ID Payload at all.
2. Send empty ID Payload (say, Type = 0, Len=0).
3. Send special ID Payload (say, Type=KeyId, Value="anonymous")
For me, case 3 looks the worst, I'd rather to avoid special values.
Case 1 looks the best from theoretical point of view, but
it will add complexity to already over-complicated IKE_AUTH
state machine (note, that currently ID Payload is mandatory).
For me case 2 looks like acceptible compromise.
I don't think this complicates the state machine that much, as it's
clearly distinct by the auth type none payload. My preference is for #1.
Thank you for sharing your opinion. I still think that empty
ID is preferrable, as IMHO it will add less complexity to
implementation. I'd still like to know more opinions on this.
Multiple clients behind the same NAT router with transport mode would use
different NATed UDP ports. The IPsec server can differentiate incoming
packets this way. But for outgoing UDP packet streams (not udp replies)
it would need to know which of the clients using the same IP this packet
would need to get encrypted to. You would need some kind of "mark"
asociating the SA with the socket. For *swan we did this with an "SAref"
marker. It would use ip_conntrack and put an SPI based iptables MARK
on the packt. For new connections originating from the IPsec gateway,
you could set a socket option (IP_IPSEC_BINDREF) if you know the SPI/MARK.
I got your point. But this problem is unrelated to NULL Auth and even
to OE, IMHO. So I don't think it must be addressed in this draft.
If draft says that in case of NULL Auth ID Payload SHOULD be sent empty
and MUST be ignored by receiver, will it satisfy you?
Yes, that would be perfect.
Great.
By the way, I do prefer the name "auth none" over "auth null". To me,
'null' embodies more of an error condition.
My reasons for selecting this name were the folowing.
First, we define new Authentication Method in IANA. A method
is some essence, that defines how authentication has to be done.
For me "NONE authentication" implies that this essence doesn't
exist at all, while "NULL authentication" implies that this essence
(authentication) exists, but performs no real action (is dummy).
For me is sounds a bit better, as we define an essence in IANA.
And second, I had a similar example - NULL Encryption Algorithm
in ESP. For some reason it was named NULL, not NONE,
so I just decided to follow this tradition.
Disclaimer: english is not my native language, so my
arguments for the naming may look a bit silly.
Paul
Regards,
Valery.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
