Hi Yaron,
The text in RFC7296 specifically does not limit the uses of EAP
identities more than that "SHOULD NOT" just because we wanted to leave
things open so different implementations can do whatever is suitable
for them.
That's why I think that ID_NULL can be used as IDi
in case of EAP - this usage doesn't contradict to IKEv2 spec.
Valery.
Hi Valery,
I don't see how this can be done without breaking existing
implementations, and therefore I am unhappy with the new sentence in
-03, "Another example is EAP authentication when the client identity in
ID payload is not used." A responder that receives a new, unknown ID
type should IMHO reject the exchange as syntactically malformed. Even if
some reading of the documents might lead you to think that responders
should be liberal in this case, I see no benefit in breaking the
non-liberal servers by using a novel ID type here.
The text is there because the draft doesn't restrict usage of ID_NULL
to NULL AUthentication only and we were asked to provide
some examples of such usage. I agree that current implementations
won't probably tolerate the described scenario, but I also think that we
should allow ID_NULL to be used in some use cases that might be defined
in the future.
We may remove this sentence that made you unhappy and replace
it with something like:
If ID_NULL is used with other authentication methods than NULL
Authentication, then its usage must be defined in appropriate
document.
BTW, is another example of using ID_NULL in this para is
acceptable to you?
Regards,
Valery.
Thanks,
Yaron
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
