Tero Kivinen writes: > Yaron Sheffer writes: > > This is why RFC 5998 is listed as "updates 5996". So RFC 5998 does apply > > here. Note that it only applies in specific cases, and for specific EAP > > methods. > > > > Yes, we should have updated the text in RFC 5996 to refer to 5998, but > > we forgot. Sigh. > > Hmm.. I hope this does not mean we should update > draft-kivinen-ikev2-rfc5996bis (now in AUTH48) to say something about > this?
As there has not been any support in the list to add anything like this to the draft-kivinen-ikev2-rfc5996bis, I assume we do not then need to change it. > The RFC 5998 is standard track protocol that extends IKEv2 by > including new notifications to negotiate the mutual EAP > authentication, and also changes the payloads sent in the exchanges. > > The current text in the draft is not incorrect, as if you follow the > protocol described in this draft, then the in draft is correct: > > An implementation using EAP MUST also use a public-key-based > authentication of the server to the client before the EAP > authentication begins, even if the EAP method offers mutual > authentication. This avoids having additional IKEv2 protocol > variations and protects the EAP data from active attackers. > > What we could do, is to add reference to the RFC5998 there, but I > think it might not be needed, as RFC5998 is clearly an extension to > the IKEv2, and we do not need to list all extensions to IKEv2 in the > specification. > > What do others think? If we would earlier in the publication process, > I would say go for it, but adding this kind of text in AUTH48 is not > something I would like to be doing... -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
