At 7:22 PM +0200 3/2/10, Hannes Tschofenig wrote: >The challenge I have in understanding the motivation for this work is impacted >by ... > >1) EAP is not only meant to be used with backend infrastructure. >2) EAP is an authentication framework and EAP methods exist that support >strong-password based authentication. >3) EAP is implemented by folks in IKEv2 already. > >To me it seems that there is the chance to re-use existing mechanisms and to >even re-use existing code.
Hannes, it is not really appropriate to re-open closed charter issues. As you know, this was already discussed, at length, in the WG. That's why another part of the new charter has: - A standards-track IKEv2 extension to allow mutual EAP-based authentication in IKEv2, eliminating the need for the responder to present a certificate. The document will define the conditions that EAP methods need to fulfill in order to use this extension. The document will recommend, but will not require, the use of EAP methods that provide EAP channel binding. The proposed starting point for this work is draft-eronen-ipsec-ikev2-eap-auth-07.txt. For this thread, please focus on the issues at hand for a secure password-only authentication mode for IKEv2. Thanks! --Paul Hoffman, Director --VPN Consortium _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
