| rfc9593v2.txt | rfc9593.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) V. Smyslov | Internet Engineering Task Force (IETF) V. Smyslov | |||
| Request for Comments: 9593 ELVIS-PLUS | Request for Comments: 9593 ELVIS-PLUS | |||
| Category: Standards Track June 2024 | Category: Standards Track July 2024 | |||
| ISSN: 2070-1721 | ISSN: 2070-1721 | |||
| Announcing Supported Authentication Methods in the Internet Key Exchange | Announcing Supported Authentication Methods in the Internet Key Exchange | |||
| Protocol Version 2 (IKEv2) | Protocol Version 2 (IKEv2) | |||
| Abstract | Abstract | |||
| This specification defines a mechanism that allows implementations of | This specification defines a mechanism that allows implementations of | |||
| the Internet Key Exchange Protocol Version 2 (IKEv2) to indicate the | the Internet Key Exchange Protocol Version 2 (IKEv2) to indicate the | |||
| list of supported authentication methods to their peers while | list of supported authentication methods to their peers while | |||
| skipping to change at line 409 ¶ | skipping to change at line 409 ¶ | |||
| Generally in IKEv2 each party independently determines the way it | Generally in IKEv2 each party independently determines the way it | |||
| authenticates itself to the peer. In other words, authentication | authenticates itself to the peer. In other words, authentication | |||
| methods selected by the peers need not be the same. However, some | methods selected by the peers need not be the same. However, some | |||
| IKEv2 extensions break this rule. | IKEv2 extensions break this rule. | |||
| The prominent example is "Secure Password Framework for Internet Key | The prominent example is "Secure Password Framework for Internet Key | |||
| Exchange Version 2" [RFC6467], which defines a framework for using | Exchange Version 2" [RFC6467], which defines a framework for using | |||
| secure password authentication in IKEv2. With this framework, peers | secure password authentication in IKEv2. With this framework, peers | |||
| negotiate using one of the secure password methods in the IKE_SA_INIT | negotiate using one of the secure password methods in the IKE_SA_INIT | |||
| exchange -- the initiator sends a list of supported PAKE methods in | exchange -- the initiator sends a list of supported methods in the | |||
| the request, and the responder picks one of them and sends it back in | request, and the responder picks one of them and sends it back in the | |||
| the response. | response. | |||
| If peers negotiate secure password authentication, then the selected | If peers negotiate secure password authentication, then the selected | |||
| method is used by both initiator and responder, and no other | method is used by both initiator and responder, and no other | |||
| authentication methods are involved. For this reason, there is no | authentication methods are involved. For this reason, there is no | |||
| point to announce supported authentication methods in this case. | point to announce supported authentication methods in this case. | |||
| Thus, if the peers choose to go with secure password authentication, | Thus, if the peers choose to go with secure password authentication, | |||
| they MUST NOT send the SUPPORTED_AUTH_METHODS notification. | they MUST NOT send the SUPPORTED_AUTH_METHODS notification. | |||
| In the situation when peers are going to use Multiple Authentication | In the situation when peers are going to use Multiple Authentication | |||
| Exchanges [RFC4739], they MAY include multiple SUPPORTED_AUTH_METHODS | Exchanges [RFC4739], they MAY include multiple SUPPORTED_AUTH_METHODS | |||
| End of changes. 2 change blocks. | ||||
| 4 lines changed or deleted | 4 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||