[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Getting the features chart going
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[[ Not sure who wrote the double quoted text here, maybe Glen??? The
attribution was removed and some messages were left off the main
list.]]
> > there may be others. The major benefits of L2TP over hacking
> > IKE are pretty
> > obvious, I think
Terms like "obvious" and "clearly" are an emotional response that
seems unclear given that a large number of vendors have in fact
chosen to use the route this poster thinks is "obvious"ly wrong.
> > but include _real_ interoperability,
As opposed to fake interoperability? There is a simple problem to
solve here. Remote clients need an internal IP, DNS, and WINS
address. ISAKMP-cfg gives it to them in a very simple addition to a
protocol everyone here has already implemented, IKE.
> > the use of
> > well-understood protocols for both authentication and remote node
> > configuration.
IKE is a well understood protocol to everyone here. ISAKMP-cfg is so
simple I can't imagine anyone saying it isn't well understood.
Trying to bring L2TP, PPP, IKE, and IPSEC together all at once is far
more likely to introduce these interoperability and not well
understood issues that you raise.
> > A more interesting question is why anyone
> > would favor the
> > invention of novel extensions to a protocol that is already
> > far too complex
> > over the use of widely-deployed, proven techniques.
It must be a conspiracy.
Seriously, while IKE may be complex, it has the significant advantage
that everyone here already understands it quite well, has already
implemented it, and IMHO didn't find it to be far too complex. I'm
not sure what you mean by widely-deployed and proven techniques. The
issue of whether an old implementation of PPTP happens to be deployed
in NT is really orthogonal to the problems here. L2TP/PPP/IKE/IPSEC
as a solution is not widely deployed by any stretch of the
imagination.
> > I understand that
> > firewall vendors have generally not implemented PPP, but
> > building a basic,
> > interoperable implementation of either PPP or L2TP is simple
> > enough to be a
> > college CS project.
Yes, firewall vendors would have implementation issues with
L2TP/PPP/IKE/IPSEC. Throw the client vendors into that too. I'm not
sure who that leaves wanting to surgically require four protocols
L2TP/PPP/IKE/IPSEC for the simple issue of getting internal IP info.
Stephane Beaulieu wrote:
> IMHO, the introduction of ISAKMP-Config into IKE is **FAR** more
> simple than implementing L2TP.
Agreed. I posted to the main list about 2 months ago asking how many
people had implemented isakmp-cfg and got a large number of replies.
Most of the vendors I talked to at the bakeoff were also planning to
support it or already do. I think the cat's already out of the bag
on this. Personally, we don't support it yet, but we look forward to
doing interop testing on it at the next bakeoff.
- -- Will
Will Price, Architect/Sr. Mgr., PGP Client Products
Total Network Security Division
Network Associates, Inc.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
iQA/AwUBN3PX1ay7FkvPc+xMEQK8TgCgj2gBZFzTI4ccaz8K8JJOxSdhj4kAoMf0
z+WKlGg6bEvB/Yxce86saCXM
=p6pV
-----END PGP SIGNATURE-----
Follow-Ups:
References: