RE: Getting the features chart going

[Glen Zorn <glennz@microsoft.com>]

Yes, I seem to have misread the hybrid auth draft. 

 -----Original Message-----
From: 	Stephane Beaulieu [mailto:sbeaulieu@TimeStep.com] 
Sent:	Friday, June 25, 1999 11:47 AM
To:	Glen Zorn; Stephane Beaulieu; Paul Hoffman / VPNC;
vpnc-technical@vpnc.org
Cc:	ipsec; ipsra
Subject:	RE: Getting the features chart going

> The alternatives to XAUTH/ISAKMP-config of which I'm aware 
> are documented in
> http://www.ietf.org/internet-drafts/draft-ietf-ipsec-isakmp-hy
> brid-auth-02.t
> xt and 

Again, Hybrid uses XAUTH (and implicitly ISAKMP-Config)to accomplish legacy
authentication.  It also modifies the behavior of IKE, thus making IKE more
complex.

> http://www.ietf.org/internet-drafts/draft-ietf-ipsec-dhcp-01.txt;

This is a good alternative to ISAKMP-Config.  I have a few reservations
about creating specialty phase2 tunnels to configuration servers though.
However, it does solve the same problem as ISAKMP-Config in a pretty simple,
straightforward way and we can surely discuss the pro's and con's of both
drafts in order to attempt to arrive at a standard.

> there may be others.  The major benefits of L2TP over hacking 
> IKE are pretty
> obvious, I think, but include _real_ interoperability, the use of
> well-understood protocols for both authentication and remote node
> configuration.  A more interesting question is why anyone 
> would favor the
> invention of novel extensions to a protocol that is already 
> far too complex
> over the use of widely-deployed, proven techniques.  I understand that
> firewall vendors have generally not implemented PPP, but 
> building a basic,
> interoperable implementation of either PPP or L2TP is simple 
> enough to be a
> college CS project.

IMHO, the introduction of ISAKMP-Config into IKE is **FAR** more simple than
implementing L2TP.