The text in RFC7296 specifically does not limit the uses of EAP
identities more than that "SHOULD NOT" just because we wanted to leave
things open so different implementations can do whatever is suitable
for them.
That's why I think that ID_NULL can be used as IDi
in case of EAP - this usage doesn't contradict to IKEv2 spec.
Valery.
Hi Valery,
I don't see how this can be done without breaking existing
implementations, and therefore I am unhappy with the new sentence in
-03, "Another example is EAP authentication when the client identity in
ID payload is not used." A responder that receives a new, unknown ID
type should IMHO reject the exchange as syntactically malformed. Even if
some reading of the documents might lead you to think that responders
should be liberal in this case, I see no benefit in breaking the
non-liberal servers by using a novel ID type here.
Thanks,
Yaron
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec