[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Authentication methods in IKEv2



Hi,

I have some doubts about using of authentication methods in IKEv2.
In IKEv2 negotiation of authentication methods was completely
removed - each side simply uses his/her favourite method.
I think this may lead to the lack of interoperability and extensibility
in case one of the endpoints supports more than one method of
authentication.

For example. Let's initiator support RSA and DSS and has certificates
of the both types. Let's responder support only RSA. In this case,
responder has no means in the protocol to explicitly indicate,
that it will accept only RSA certificates. Even if we require
all implementations to support all three authentication methods
 - RSA, DSS and preshared keys (that is definitely unrealistic,
at least for DSS), what about future authentication methods?

Another thing that makes me feeling uncomfortable is that even
type of key an enpoint uses for her own signature is not always explicitely
indicated in the protocol. It can easily be learned if certificate
is present in exchange, but certificate payload is optional...

Regards,
Valery Smyslov.