Hi Rahul,
This is why RFC 5998 is listed as "updates 5996". So RFC 5998 does apply
here. Note that it only applies in specific cases, and for specific EAP
methods.
Yes, we should have updated the text in RFC 5996 to refer to 5998, but
we forgot. Sigh.
Thanks,
Yaron
On 09/11/2014 06:56 AM, Rahul Vaidya wrote:
Dear IPsec Experts,
In RFC 4306, 5996 as well as draft-kivinen-ipsecme-ikev2-rfc5996bis,
there is a statement:
"An implementation using EAP MUST also use a public-key-based
authentication of the server to the client before the EAP exchange
begins, even if the EAP method offers mutual authentication."
RFC 5998 which updates 5996 says:
"This document specifies how EAP methods that provide mutual
authentication and key agreement can be used to provide extensible
responder authentication for IKEv2 based on methods other than public
key signatures."
The 2 statements are contradictory, given the 'MUST' requirement for
public -key based authentication in RFC 5996.
I request a view from the IPsec community on whether public key based
authentication can be avoided without impacting the security of the
connection/network.
Regards,
Rahul Vaidya
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
