On Mon, Apr 1, 2024 at 9:08 AM Valery Smyslov <svan@xxxxxxxx> wrote:
I've added the following sentence to the Introduction:
Since IKEv2 doesn't allow to use multiple
authentication methods and doesn't provide means for peers to
indicate to the other side which authentication methods they support,
it is possible that in these situations the peer which supports wider
range of authentication methods (or authentication token formats)
improperly selects the method (or format) which is not supported by
the other side.
I wouldn't phrase it like it, since if we are talking about the peers using different authentication
methods (eg client EAPTLS and server X.509 cert) then there are "multiple authentication methods".
Also, the server could have multiple configurations for the same peer so a peer could come in using X509 or PSK.
I think the core case is that the peers cannot dictate the auth method the peer must use. But this document allows
them to inform the peer or what they are going to allow? Although a bit limited because in IKE_SA_INIT, one does
not have the peer's identity yet, and different peers might only be allowed specific auth methods.
Paul
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
