On Fri, 7 Nov 2025, Tero Kivinen wrote:
Here is the list of experimental RFCs I promised to send to this list:
Experimental RFCs:
* Repeated Authentication in IKEv2 RFC 4478
* Multiple Authentication Exchanges in the IKEv2 RFC 4739
* IPv6 Configuration in IKEv2 RFC 5739
* A Childless Initiation of the IKEv2 SA RFC 6023
* An IKEv2 Extension to Support EAP Re-authentication
Protocol (ERP) RFC 6867
The question is that if implementations are using any of those, then
we might want to think whether we should update them from experimental
to someting else. On the other hand if nobody has ever implemented
them and do not see any use for them, perhaps we should consider
marking them as failed experiment.
libreswan only supports RFC 6023, which it uses for supporting RFC 9478
Labeled IPsec Traffic Selector Support.
In addition to those, we have password authentication protocols:
* Secure Pre-Shared Key (PSK) Authentication for the IKE RFC 6617
* Efficient Augmented Password-Only Authentication and Key
Exchange for IKEv2 RFC 6628
* Password Authenticated Connection Establishment with the
IKEv2 RFC 6631
libreswan supports none of these, and was partially waiting on updated
PAKE's from CFRG. It seems most user/pass support is done using
EAP-mschapv2 in the real world?
Paul
_______________________________________________
IPsec mailing list -- [email protected]
To unsubscribe send an email to [email protected]
