Hi Nico, On Tue, April 12, 2011 1:00 pm, Nico Williams wrote: > I fail to see how Tero's proposal makes any headway. Customers who > have and want to use AAA will not be able to use it, near as I can > tell, and if you undertake to make it possible to use AAA in Tero's > proposal then you'll be quickly approximating EAP re-invention. Thus > my skepticism. It's not pessimism because the obvious solution is to > use an off-the-shelf solution.
See that's the whole thing! You can't use AAA because IKE is not a client-server protocol designed for network access (although some people try to use it for that). Each side can initiate to the other so each side needs access to the credential and since there's no way for a AAA server to initiate EAP to another AAA server you can't use AAA. And if you can't use AAA then what's the point of using EAP? There isn't one! It's a pointless encapsulation that increases the number of messages and invites insecure misuse of IKE. I fail to see any value that a pluggable authentication framework adds. (EAP re-invention might be a good idea. Maybe someone can make it so a self-described authentication protocol has way of learning an identity that is useful for authentication purposes. And if a message can get big enough to be fragmented then maybe defining fragmentation/reassembly might be a good idea too. Both of those tend to get reinvented with each EAP method that needs them-- ggrrrrr). >> Â Now the drafts are in LC. Maybe a few comments could get the authors >> to align their drafts so they look architecturally identical while >> implementing different exchanges. > > Which I-Ds are in last call?? The three PAKE I-Ds: - draft-harkins-ipsecme-spsk-auth - draft-kuegler-ipsecme-pace-ikev2 - draft-shin-augmented-pake regards, Dan. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
