Clarification of EAP authentication in IKEv2?

[Pasi.Eronen@nokia.com]

(I'm sending this again, since for some reason my 
post on Tuesday didn't come through.)


Hi,

IKEv2-11, Section 2.16 says:

   In addition to authentication using public key signatures and
   shared secrets, IKE supports authentication using methods
   defined in RFC 2284 [EAP]. Typically, these methods are
   asymmetric (designed for a user authenticating to a server),
   and they may not be mutual. For this reason, these protocols
   are typically used to authenticate the initiator to the
   responder and are used in addition to a public key signature
   based authentication of the responder to the initiator.

Recently, some people have interpreted the last sentence as
"public key signature based authentication of the responder 
MUST be used".

Another possible interpretation is that _typically_ the responder 
is authenticated with public key signatures (for the reasons 
given earlier in the paragraph), but other alternatives (such 
as EAP method that provides mutual authentication, or even 
shared secret) may be possible in some circumstances.

Any comments?

Personally, I support the latter interpretation; since otherwise
only initiator authentication is extensible, not responder 
(and I think this would be an unnecessary limitation... after all,
if the point of EAP is to allow users to choose an authentication 
method that best suits their needs, why should this be limited 
to initiator authentication?). 

This could be perhaps clarified by adding the following 
paragraph below the sequence diagram:

   If the authentication of the responder is based solely on a
   mutually authenticating EAP method, the responder omits the
   AUTH payload from message 4. Alternatively, the responder 
   can be authenticated using either public key signatures or 
   a shared secret, in which case the AUTH payload in message 4 
   is calculated as described in Section 2.15.

Best regards,
Pasi