Folks,
I think there is merit to pursing both the EAP-based and the
SPSK-based password authentication proposals as WG items. My
rationale is:
- EAP-based methods are well-suited to client-server
interactions and to enterprise environments that already use
RADIUS/DIAMATER. Unfortunately, these methods seem ill-suited to peer
communications, and IPsec is a peer communication architecture, so
having only these methods available for password-based auth seems
inappropriate. Also, Dan has indicated that there are IP clams
associated with the specific methods that have been cited, which
makes me leery of relying too heavily in them.
- a generic password-based scheme seems desirable for peer
(cs. client-server) contexts, and if such schemes are IP-free, so
much the better. However, enterprise use of IPsec is primarily for
road warriors, and thus is a client-server context, and there is a
strong preference for a RADIUS/DIAMATER compatibility in this context.
So, i see a benefit in this WG pursuing both work items.
Steve
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec