Dear IPsec Experts, In RFC 4306, 5996 as well as draft-kivinen-ipsecme-ikev2-rfc5996bis, there is a statement:
"An implementation using EAP MUST also use a public-key-based authentication of the server to the client before the EAP exchange begins, even if the EAP method offers mutual authentication." RFC 5998 which updates 5996 says: "This document specifies how EAP methods that provide mutual authentication and key agreement can be used to provide extensible responder authentication for IKEv2 based on methods other than public key signatures." The 2 statements are contradictory, given the 'MUST' requirement for public -key based authentication in RFC 5996. I request a view from the IPsec community on whether public key based authentication can be avoided without impacting the security of the connection/network. Regards, Rahul Vaidya
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
