Re: [IPsec] Start of WG Last Call on draft-ietf-ipsecme-eap-mutual (EAP-Only Authentication)

Mon, 03 May 2010 13:43:09 -0700 

Hi Yaron,

I actually see a need for TLS-type IKEv2 EAP protocols in the context
of IPsec-based Network Endpoint Assessment (NEA, RFC 5209). The recent
proposal for an EAP-PT transport protocol

  http://tools.ietf.org/html/draft-hanna-nea-pt-eap-00

says in section 1. Introduction:

   ...

   EAP-TNC is designed to operate as an inner EAP [10] method over an
   EAP tunnel method that meets the Requirements for a Tunnel Based EAP
   Method [17]. PT-EAP therefore can operate over a number of existing
   access protocols that support EAP for authentication. Some examples
   of such access protocols include 802.1X [7] for wired and wireless
   networks and IKEv2 [15] for establishing VPNs over IP networks.

   This document defines a standard EAP inner method called EAP-TNC.  It
   also shows how EAP-TNC may be carried over two existing EAP tunnel
   EAP methods: EAP-FAST [14] and EAP-TTLS [16].

Thus we have a requirement to use e.g. EAP-FAST or EAP-TTLS via IKEv2.

Best regards

Andreas

On 03.05.2010 21:36, Yaron Sheffer wrote:


- What's the reason for not adding EAP-TLS to the list of save methods?
I think EAP-TLS is a perfect candidate. It might be questionable to use
TLS within IKEv2 at all, but there actually are higher level protocols
that exactly use this combination. EAP-SIM is another candidate probably
worth to mention, having very similar properties as EAP-AKA.


EAP-TLS is mentioned right before the table - and could be added. The
table is not meant to be all-inclusive. I think using EAP-TLS here is
crazy in practice, and I'd love to hear more about the protocols that
use this combination - and why.


======================================================================
Andreas Steffen                         [email protected]
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to