Yaron Sheffer writes: > This is why RFC 5998 is listed as "updates 5996". So RFC 5998 does apply > here. Note that it only applies in specific cases, and for specific EAP > methods. > > Yes, we should have updated the text in RFC 5996 to refer to 5998, but > we forgot. Sigh.
Hmm.. I hope this does not mean we should update draft-kivinen-ikev2-rfc5996bis (now in AUTH48) to say something about this? The RFC 5998 is standard track protocol that extends IKEv2 by including new notifications to negotiate the mutual EAP authentication, and also changes the payloads sent in the exchanges. The current text in the draft is not incorrect, as if you follow the protocol described in this draft, then the in draft is correct: An implementation using EAP MUST also use a public-key-based authentication of the server to the client before the EAP authentication begins, even if the EAP method offers mutual authentication. This avoids having additional IKEv2 protocol variations and protects the EAP data from active attackers. What we could do, is to add reference to the RFC5998 there, but I think it might not be needed, as RFC5998 is clearly an extension to the IKEv2, and we do not need to list all extensions to IKEv2 in the specification. What do others think? If we would earlier in the publication process, I would say go for it, but adding this kind of text in AUTH48 is not something I would like to be doing... -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
