Yaron Sheffer writes: > EAP was added to IKEv2 to provide "legacy" (a.k.a. password) > authentication. In the past it did not do it very well, but this is > changing. We should improve the use of EAP in IKEv2, rather than > replacing it by a homebrew solution.
EAP can really only be used in the client / server situation. Using EAP to protect site to site, or host to host traffic is very hard, because of the assymetric properties of the EAP. Because if this I do think there is use for having secure password protocol in the IKEv2 without using EAP. As an additional note, I also think there is use for EAP methods you list below, as those can be used when there is clear client / server distinction just like in the remote access case. Btw, this same applies to the EAP only authentication, i.e. it has uses when there is clear client / server distinction, i.e. it is not competing with this one, but it provides similar properties for those cases where we really have client and server, and where we do have existing infrastructure (for example using EAP-SIM or EAP-AKA in the GSM or 3GPP environments). -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
