On Mar 6, 2011, at 11:25 AM, Yoav Nir wrote:
>
> There's peer-initiated ERP (which would require peer-initiated IKE?) and
> multiple simultaneous operations. I think it may come to a somewhat larger
> draft.
Sorry. peer=remote access client, so peer-initiated IKE is the norm. They real
changes would be either allowing two EAP messages in a single IKE_AUTH
response, or something that's more lock-step than this:
The authenticator MAY
initiate the ERP exchange by sending the EAP-Initiate/Re-auth-Start
message, and if there is no response, it will send the EAP-Request/
Identity message.
IKEv2 doesn't do "no response", so we'd have to respond either within EAP or in
an IKE notification. Then we have a problem with how to communicate this to the
back-end authentication server.
Definitely looking like a big draft.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
