[anonsec] review comments on draft-ietf-btns-prob-and-applic-06.txt
Stephen Kent
kent at bbn.com
Mon Jan 14 11:25:53 PST 2008
At 6:00 PM -0600 1/11/08, Nicolas Williams wrote:
>...
>
>Finally, multi-user systems may need to authenticate individual users to
>other entities, in which case IPsec is inapplicable[*]. (I cannot find
>a mention of this in the I-D, not after a quick skim.)
>
>[*] At least to my reading of RFC4301, though I see no reason why a
> system couldn't negotiate narrow SAs, each with different local IDs
> and credentials, with other peers. But that wouldn't help
> applications that multiplex messages for many users' onto one TCP
> connection (e.g., NFS), in which case even if my readinf of RFC4301
> is wrong IPsec is still not applicable for authentication.
IPsec has always allowed two peers to negotiate multiple SAs between
them, e.g., on a per-TCP connection basis. Ipsec does support
per-user authentication if protocol ID and port pairs can be used to
distinguish the sessions for different users. So, if you want to
restrict the cited motivation to applications that multiplex
different users onto a single TCP/UDP session, that would be accurate.
Steve
More information about the ANONSEC
mailing list