Thanks for the quick reply, Yaron, So does it mean that if an EAP method provides mutual authentication (e.g., EAP-AKA), then this particular text from 5996 does not apply? Or are their further conditions which are not mentioned in 5998 where still the public key based authentication is required?
Regards, Rahul On Thu, Sep 11, 2014 at 11:05 AM, Yaron Sheffer <[email protected]> wrote: > Hi Rahul, > > This is why RFC 5998 is listed as "updates 5996". So RFC 5998 does apply > here. Note that it only applies in specific cases, and for specific EAP > methods. > > Yes, we should have updated the text in RFC 5996 to refer to 5998, but we > forgot. Sigh. > > Thanks, > Yaron > > > On 09/11/2014 06:56 AM, Rahul Vaidya wrote: > >> Dear IPsec Experts, >> >> In RFC 4306, 5996 as well as draft-kivinen-ipsecme-ikev2-rfc5996bis, >> there is a statement: >> >> "An implementation using EAP MUST also use a public-key-based >> authentication of the server to the client before the EAP exchange >> begins, even if the EAP method offers mutual authentication." >> >> RFC 5998 which updates 5996 says: >> "This document specifies how EAP methods that provide mutual >> authentication and key agreement can be used to provide extensible >> responder authentication for IKEv2 based on methods other than public >> key signatures." >> >> The 2 statements are contradictory, given the 'MUST' requirement for >> public -key based authentication in RFC 5996. >> >> I request a view from the IPsec community on whether public key based >> authentication can be avoided without impacting the security of the >> connection/network. >> >> Regards, >> Rahul Vaidya >> >> >> _______________________________________________ >> IPsec mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/ipsec >> >>
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
