On Mon, 19 Jan 2015, Stephen Kent wrote:
because NULL auth alters a fundamental security aspect of IPsec, I think we need to describe in this document how this new capability interacts with the SPD and the PAD. The doc should reference 4301 an describe any changes to that RFC that are needed to security accommodate Null auth.
There are no changes to the SPD or the PAD. This document merely defines a new way of authentication at the IKE level. It is not different from other documenst that added an authentication method, such as RFC-7427 which also does not mention the SPD or the PAD. 7427 does have the following text: IKEv2 peers have a series of policy databases (see Section 4.4 of [RFC4301]) that define which security algorithms and methods should be used during establishment of security associations. To help end users select the desired security levels for communications protected by IPsec, implementers may wish to provide a mechanism in the IKE policy databases to limit the mixing of security levels or to restrict combinations of protocols. Would using this text in the security considerations resolve your issue? We could change "mixing of security levels" to "mixing authenticated and un-authenticated security levels". Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec