On Wed, 4 Jun 2014, Valery Smyslov wrote:
I've already asked co-chairs for a slot to present null-auth in a private e-mail.
Great :) We should probably add a comment about rekeying. If the responder becomes the initiator, it might run into issues. Possibly an entity that did not authenticate the peer should not initiate a rekey. There is also the case where A uses null auth to an authenticated B, and B then gets independantly triggered to setup a null auth connection to A. We haven't fully figured out how to deal with this other than "if we see our own IPSECKEY record, don't initiate null auth", but I'm not sure if that covers everyone's use case. Paul ps. i also still prefer AUTH_NONE over "NULL AUTH", as to me NULL looks more like an error while "none" conveys intent. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
