Tero Kivinen wrote:
SPSK can be used when there is requirement for host to host (or site
to site) connection, where either end can initiate traffic and
exchanges and where entities still want to use passwords instead of
public keys to authenticate. Shared keys could be used there, but in
most setups the shared keys used in those scenarios are not strong
enough to be resistant against dictionary attacks. EAP-only cannot be
used there as this is not client-server setup. In these setup the
authentication needs to be symmetric.
For this reason I do not think we need to decide to take on or the
other, we can take both as I do see use for both of them.
If I would need to select one, I would select SPSK, as that is
something which cannot be done by IKEv2 now.
EAP-only is an optimization (both in protocol level, and especially in
adminstrative level) for the existing EAP-Public key authentication.
I concur with Tero's analysis and I agree that I would prefer to solve
the problem that SPSK solves.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
