I see value in adding a simpler-than-EAP method, and support this effort. But overall it's an extremely difficult task because of IPR.
I personally would hate to see a patent-encumbered solution - and that would disqualify EKE and PAK outright (both held by Alcatel-Lucent, AFAIK). SRP would be the only acceptable (from IPR point of view) candidate that I'm aware of. I've been told that EKE patent is written so broadly that it could cover SRP as well - somebody more knowledgeable should comment on this. Tnx! Regards, Uri ----- Original Message ----- From: cfrg-boun...@irtf.org <cfrg-boun...@irtf.org> To: Hannes Tschofenig <hannes.tschofe...@gmx.net> Cc: IPsecme WG <ipsec@ietf.org>; c...@irtf.org <c...@irtf.org> Sent: Tue Mar 02 12:51:29 2010 Subject: Re: [Cfrg] [IPsec] Beginning discussion on secure password-only authentication for IKEv2 At 7:22 PM +0200 3/2/10, Hannes Tschofenig wrote: >The challenge I have in understanding the motivation for this work is impacted >by ... > >1) EAP is not only meant to be used with backend infrastructure. >2) EAP is an authentication framework and EAP methods exist that support >strong-password based authentication. >3) EAP is implemented by folks in IKEv2 already. > >To me it seems that there is the chance to re-use existing mechanisms and to >even re-use existing code. Hannes, it is not really appropriate to re-open closed charter issues. As you know, this was already discussed, at length, in the WG. That's why another part of the new charter has: - A standards-track IKEv2 extension to allow mutual EAP-based authentication in IKEv2, eliminating the need for the responder to present a certificate. The document will define the conditions that EAP methods need to fulfill in order to use this extension. The document will recommend, but will not require, the use of EAP methods that provide EAP channel binding. The proposed starting point for this work is draft-eronen-ipsec-ikev2-eap-auth-07.txt. For this thread, please focus on the issues at hand for a secure password-only authentication mode for IKEv2. Thanks! --Paul Hoffman, Director --VPN Consortium _______________________________________________ Cfrg mailing list c...@irtf.org http://www.irtf.org/mailman/listinfo/cfrg _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
