Hi Reese, I snipped most of the text for readability. > Hi Valery, > > Thank you for the response and updates. > > Please see inline: [...] > >> Section 5: > >> > >> "Note, that this is not a real attack, since NULL authentication > >> should be allowed by local security policy." Why is it not a real > >> attack then? If NULL authentication is allowed among other methods, > >> surely downgrading to NULL authentication is still a problem? Or > >> should the second sentence instead say "NULL authentication should NOT be > allowed by local security policy"? > > There is no negotiation of the authentication method to be used in > > IKEv2, thus this is not a "downgrade". If your local policy allows > > peers to not authenticate on their discretion, then it is your choice. > > If they use NULL authentication in this case, they don't violate your policy, thus > this is not an real attack. > > Thanks, that's a great clarification, I initially missed the "there is no negotiation" > part. Would you mind adding a sentence to the section, please? I've rephrased the text as follows: Note, that this is not a real "downgrade" attack, since authentication methods in IKEv2 are not negotiated and in this case NULL authentication should be allowed by local security policy. Is this OK? Regards, Valery. > Best, > Reese -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
