[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Getting the features chart going
Yes, I seem to have misread the hybrid auth draft.
-----Original Message-----
From: Stephane Beaulieu [mailto:sbeaulieu@TimeStep.com]
Sent: Friday, June 25, 1999 11:47 AM
To: Glen Zorn; Stephane Beaulieu; Paul Hoffman / VPNC;
vpnc-technical@vpnc.org
Cc: ipsec; ipsra
Subject: RE: Getting the features chart going
> The alternatives to XAUTH/ISAKMP-config of which I'm aware
> are documented in
> http://www.ietf.org/internet-drafts/draft-ietf-ipsec-isakmp-hy
> brid-auth-02.t
> xt and
Again, Hybrid uses XAUTH (and implicitly ISAKMP-Config)to accomplish legacy
authentication. It also modifies the behavior of IKE, thus making IKE more
complex.
> http://www.ietf.org/internet-drafts/draft-ietf-ipsec-dhcp-01.txt;
This is a good alternative to ISAKMP-Config. I have a few reservations
about creating specialty phase2 tunnels to configuration servers though.
However, it does solve the same problem as ISAKMP-Config in a pretty simple,
straightforward way and we can surely discuss the pro's and con's of both
drafts in order to attempt to arrive at a standard.
> there may be others. The major benefits of L2TP over hacking
> IKE are pretty
> obvious, I think, but include _real_ interoperability, the use of
> well-understood protocols for both authentication and remote node
> configuration. A more interesting question is why anyone
> would favor the
> invention of novel extensions to a protocol that is already
> far too complex
> over the use of widely-deployed, proven techniques. I understand that
> firewall vendors have generally not implemented PPP, but
> building a basic,
> interoperable implementation of either PPP or L2TP is simple
> enough to be a
> college CS project.
IMHO, the introduction of ISAKMP-Config into IKE is **FAR** more simple than
implementing L2TP.