Yoav Nir writes:
> This is about my presentation from the IPsecME meeting today (which
> for some reason is not on the website)
>
> Anyways, RFC 5266 mentions that "RFC 4306 must be updated to carry
> ERP messages". This caused some controversy a year ago, but
> regardless, I did think of a use case, so I partnered with Qin Wu
> and wrote the draft.
RFC5996 says:
While this document references [EAP] with the intent that new methods
can be added in the future without updating this specification, some
simpler variations are documented here. [EAP] defines an
authentication protocol requiring a variable number of messages.
and
A short summary of the EAP format is included here
for clarity.
So my take there is that the EAP description in the RFC5996 is just
for clarity, and is not meant to be exhaustive, meaning it does not
limit codes we can use in the EAP messages.
On the other hand RFC5996 also says that:
Following such an extended exchange, the EAP AUTH payloads MUST be
included in the two messages following the one containing the EAP
Success message.
which means that as ERX uses different message to finish the
authentication, update to the RFC5996 is needed (i.e. not to allow
codes 5 and 6, but to say we can have EAP payloads in exchanges where
they normally do not be and tell that EAP exchange can finish with
these other codes too).
> My first priority is for this to become a WG item. It probably needs
> some work, and there is an open question about whether there is any
> use case for multiple AAA domains.
I agree it could be WG item. On the other hand I also think it might
be quite fast document, so getting it out as individual rfc might be
faster.
--
[email protected]
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
