Hi Yoav,
>> AUTH_ANON ? Although I think AUTH_NONE is more in line with how we name
>> things.
>
> I don't agree that it is anonymous. It says that the identity was not
> authenticated, it didn't say that no identity was provided.
Section 2.2 says that “As peer identity is meaningless in this case,
Identification Data SHOULD
be omited from ID Payload”([1]), and even if sent, it MUST be ignored by
IKE. So it’s really not provided.
True.
> Clearly: the identity can't be trusted and can't be used in anyway.
> So, given that, how does one look up acceptable TSx in the PAD?
That’s a good question. What prevents a random attacker from sending a TSr
covering IP address 8.8.8.8,
and getting a whole bunch of DNS queries. That’s easier than bugging the
ISP or break the wifi password.
I think it depends on use case. If unauthenticated peer performs remote
access
to RAS then the server will most likely assign him/her an IP address from
internal
space and the situation you have describe won't happen. And if the peer
didn't request the address, the server should probably reject the
connection.
Yoav
[1] sic - “omitted” should have two t's
Thanks, fixed.
Regards,
Valery.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
