So do you think it would be appropriate to mandate these matching
rules in rfc5996bis,
or should this be left to AD-VPN solutions. IOW, is such a standard
rule needed for generic IKE/IPsec?
It's definitely worth to mention these rules in RFC5996bis, or at least
point to the RFC4945.
Valery Smyslov writes:
Yes, there is no obvious mapping between ID_KEY_ID and certificates and
thus ID_KEY_ID is out of scope for RFC4945.
As rfc5996 describes ID_KEY_ID as
An opaque octet stream that may be used to pass vendor-specific
information necessary to do certain proprietary types of
And this not the only contradiction between RFC5996 and RFC4945 -
the latter requires ID_IPV*_ADDR to match source IP address of IKE
packet by default, while the former explicitely allows not to do it
in any case.
RFC4945 requires that implementations MUST be capable of verifying
the