Re: [IPsec] Mandatory Public Key based authentication with EAP

Wed, 10 Sep 2014 22:59:23 -0700 

Hi Rahul,

I am not aware of any additional conditions.

EAP-AKA is actually listed in the table in RFC 5998, Sec. 4.

Thanks,
        Yaron

On 09/11/2014 08:44 AM, Rahul Vaidya wrote:

Thanks for the quick reply, Yaron,

So does it mean that if an EAP method provides mutual authentication
(e.g., EAP-AKA), then this particular text from 5996 does not apply? Or
are their further conditions which are not mentioned in 5998 where still
the public key based authentication is required?

Regards,
Rahul

On Thu, Sep 11, 2014 at 11:05 AM, Yaron Sheffer <[email protected]
<mailto:[email protected]>> wrote:

    Hi Rahul,

    This is why RFC 5998 is listed as "updates 5996". So RFC 5998 does
    apply here. Note that it only applies in specific cases, and for
    specific EAP methods.

    Yes, we should have updated the text in RFC 5996 to refer to 5998,
    but we forgot. Sigh.

    Thanks,
             Yaron


    On 09/11/2014 06:56 AM, Rahul Vaidya wrote:

        Dear IPsec Experts,

        In RFC 4306, 5996 as well as
        draft-kivinen-ipsecme-ikev2-__rfc5996bis,
        there is a statement:

        "An implementation using EAP MUST also use a public-key-based
        authentication of the server to the client before the EAP exchange
        begins, even if the EAP method offers mutual authentication."

        RFC 5998 which updates 5996 says:
        "This document specifies how EAP methods that provide mutual
        authentication and key agreement can be used to provide extensible
        responder authentication for IKEv2 based on methods other than
        public
        key signatures."

        The 2 statements are contradictory, given the 'MUST' requirement for
        public -key based authentication in RFC 5996.

        I request a view from the IPsec community on whether public key
        based
        authentication can be avoided without impacting the security of the
        connection/network.

        Regards,
        Rahul Vaidya


        _________________________________________________
        IPsec mailing list
        [email protected] <mailto:[email protected]>
        https://www.ietf.org/mailman/__listinfo/ipsec
        <https://www.ietf.org/mailman/listinfo/ipsec>




_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to