Re: Secure legacy authentication for IKEv2

[Derrell Piper <ddp@electric-loft.org>]

Fair enough.  I strongly support (d), BTW.  I think it's essential to 
see an SLA defined, but it should not be made mandatory to implement.

I can see arguments both for and against having SLA be in a separate 
document.  Whether (a) occurs is not as important to me as making sure 
that (b) and (c) happen and happen soon.

Derrell

On Friday, December 20, 2002, at 06:02 PM, Hugo Krawczyk wrote:

> Just to illustrate the problems of making SLA part of IKEv2 let me 
> point out to
> an argument against using EAP in the context of SLA that was given in a
> previous message. It was claimed that adding EAP to SLA would
> require all implementations of IKE to implement EAP. But then why 
> should ALL
> implementation of IKE be required to implement all the remote-access
> and legacy-authentication payloads and the sepcial authentication 
> mode??
> If, in contrast, SLA implementation would be required only for
> those providing remote user access, then implementing EAP would be
> a natural thing to require given that EAP is today's most general
> IETF-standarized mechanissm for transporting user (and legacy) 
> authentication
> information.
>
> Bottom line: I suggest to
> (a) separate SLA to another document;
> (b) develop IKEv2 and SLA at the same time (i.e. now);
> (c) advance the separate documents for standardization concurrently;
> (d) do NOT make SLA a mandatory mode of IKEv2.