Hi Miika, Thanks for your comments!! I have still some comments about the client authentication to the server. I have inlined below, > > (ii ). the server cannot authenticate client, because he do not check > > the HI from the DNS or from secure method. An Intruder can legitemetly > > establish a connection. > > Good question but what does the checking from the DNS really tell the > server? I guess the server can have a some kind of access control list > based on host identities that cab be used for accepting only certain > hosts. > > In the I1, the responder gets the initiator's HIT and IP address only. The > responder can try to resolve the IP address if initiator and try to find > if it finds a matching HIT. The HIT could be also be a type 2 (HAA) > HIT which includes some information about the domain of the initiator's > HIT. In the I2, the responder gets the initiators HI, HIT, IP address and > possibly FQDN. FQDN can be used for resolving the initiators HIT although > I doubt the usefullness of this (and it's bad for performance - more > round-trips). > Yes, you are certainly right here. If u go for DNS look up , that will expose to some other threats(possibly DoS). But my problem is, Should I consider this property as a security weakness? if the intruder legitimately establish a connection, is it a violation of a security property? comments are welcome!! ciao, Raj. ciao, S.Murugaraj.