Hi All,
We have submitted a new draft in IPsecME WG on IKEv2 based lightweight secure
data communication.
Please review.
Kind Regards,
Raj
-Original Message-
From: internet-dra...@ietf.org [mailto:internet-dra...@ietf.org]
Sent: Sunday, September 15, 2013 5:18 PM
To: Amjad Inamdar (am
Hi Yoav,
What I could not find anywhere in the RFC is how to match name in the ID
payload to the certificate. In HTTPS we have a requirement that either the
CN or the dNSName alternate name match the domain name in the URL. We
don't have similar rules for IKE, do we?
Yes, we do: RFC4945.
S
Yoav Nir writes:
> What I could not find anywhere in the RFC is how to match name in
> the ID payload to the certificate. In HTTPS we have a requirement
> that either the CN or the dNSName alternate name match the domain
> name in the URL. We don't have similar rules for IKE, do we?
That is mostly
Srivatsan Raghavan writes:
> How does a Security Gateway specify the validity or duration of an
> IP Address via CP ? The INTERNAL_ADDRESS_EXPIRY seems deprecated ?
It does not. The IP address is valid as long as the IKEv2 SA is valid:
RFC5996 section 3.15.1:
Valery Smyslov writes:
> > So do you think it would be appropriate to mandate these matching rules in
> > rfc5996bis, or should this be left to AD-VPN solutions. IOW, is such a
> > standard rule needed for generic IKE/IPsec?
>
> It's definitely worth to mention these rules in RFC5996bis, or at l
On Sep 16, 2013, at 2:02 PM, Valery Smyslov wrote:
> Hi Yoav,
>
>
>> What I could not find anywhere in the RFC is how to match name in the ID
>> payload to the certificate. In HTTPS we have a requirement that either the
>> CN or the dNSName alternate name match the domain name in the URL. We
> > So do you think it would be appropriate to mandate these matching
> > rules in rfc5996bis,
> > or should this be left to AD-VPN solutions. IOW, is such a standard
> > rule needed for generic IKE/IPsec?
> It's definitely worth to mention these rules in RFC5996bis, or at least
> point to the
