The NULL Authentication Method in the Internet Key Exchange Protocol Version 2 (IKEv2)
draft-ietf-ipsecme-ikev2-null-auth-07
Yes
(Ben Campbell)
(Jari Arkko)
(Kathleen Moriarty)
(Spencer Dawkins)
No Objection
(Alia Atlas)
(Alvaro Retana)
(Benoît Claise)
(Brian Haberman)
(Deborah Brungard)
(Martin Stiemerling)
Note: This ballot was opened for revision 06 and is now closed.
Ben Campbell Former IESG member
Yes
Yes
(for -06)
Unknown
Jari Arkko Former IESG member
Yes
Yes
(for -06)
Unknown
Kathleen Moriarty Former IESG member
Yes
Yes
(for -06)
Unknown
Spencer Dawkins Former IESG member
(was No Objection)
Yes
Yes
(for -06)
Unknown
Stephen Farrell Former IESG member
Yes
Yes
(2015-05-27 for -06)
Unknown
- 2.1: just wanted to check as I didn't have time to go through it all myself - are we confident that using SK_pi/SK_pr in this way has no cryptographic downsides? The reference to the EAP methods convinces me this is no worse than an existing thing, but not (by itself) that it is cryptographically sound, so I just wanted to check as I think prf(SK_pr,IDr') has until now been calculated but not transmitted, so there's a tiny change here maybe, but as I said I didn't have time to fully check. If someone just tells me that yes, the authors/wg did consider this, that'll be fine, no need to fully explain to me why using SK_pr like this is safe (though if you want to, that'd be fine too). - 2.5: "hand out" is an odd phrase here - would be better to expand on that I think and say more precisely what should never be done.
Alia Atlas Former IESG member
No Objection
No Objection
(for -06)
Unknown
Alvaro Retana Former IESG member
No Objection
No Objection
(for -06)
Unknown
Barry Leiba Former IESG member
(was Discuss)
No Objection
No Objection
(2015-05-28 for -06)
Unknown
First: Thanks, Paul, for a very informative and useful shepherd writeup. Editorial comment in Section 2: If a peer that requires authentication receives an AUTH payload containing the NULL Authentication method type, it MUST return an AUTHENTICATION_FAILED notification. We're referring to NULL authentication as "authentication", so maybe this should say something like "If a peer that requires positive identification receives [...]", or "If a peer that requires authenticated identity receives [...]" ?
Benoît Claise Former IESG member
No Objection
No Objection
(for -06)
Unknown
Brian Haberman Former IESG member
No Objection
No Objection
(for -06)
Unknown
Deborah Brungard Former IESG member
No Objection
No Objection
(for -06)
Unknown
Martin Stiemerling Former IESG member
No Objection
No Objection
(for -06)
Unknown