[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Reliable delete notifies
Bill Sommerfeld wrote:
>
> Is Aggressive Mode "standards bloat"
>
> Yes.
>
> or is it a necessary addition to do what Ben wants to do?
>
> It appears that what Ben wants to do is to use shared secret
> authentication by "identity" rather than ip address. it should be
> possible to do this with main mode; we should figure out how to tweak
> Main Mode to make this possible.
Correct. As Jan Vilhuber so eloquently pointed out, our customers
want remote access IPSEC VPN's without the hassle of deploying
a PKI. Aggressive mode provides a viable (IMHO) solution for
remote access with identities other than IP addresses using
pre-shared keys for authentication.
Other options for remote access without _requiring_ certs are:
- XAUTH with a group pre-shared key.
- XAUTH with Hybrid Auth.
- IPSRA temporary certificates.
The XAUTH solutions, while available today from a number of vendors,
are not on the standards track and the third IPSRA option is far from
any interoperability testing, much less deployment.
So, until IPSRA defines its remote access protocols and they are
implemented, Aggressive Mode is the only standards track interoperable
method to do remote access without mandating adoption of a PKI as a
pre-requisite for deploying a VPN.
-Ben McCann
--
Ben McCann Indus River Networks
31 Nagog Park
Acton, MA, 01720
email: bmccann@indusriver.com web: www.indusriver.com
phone: (978) 266-8140 fax: (978) 266-8111
Follow-Ups:
References: