[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Secure legacy authentication for IKEv2
Fair enough. I strongly support (d), BTW. I think it's essential to
see an SLA defined, but it should not be made mandatory to implement.
I can see arguments both for and against having SLA be in a separate
document. Whether (a) occurs is not as important to me as making sure
that (b) and (c) happen and happen soon.
Derrell
On Friday, December 20, 2002, at 06:02 PM, Hugo Krawczyk wrote:
> Just to illustrate the problems of making SLA part of IKEv2 let me
> point out to
> an argument against using EAP in the context of SLA that was given in a
> previous message. It was claimed that adding EAP to SLA would
> require all implementations of IKE to implement EAP. But then why
> should ALL
> implementation of IKE be required to implement all the remote-access
> and legacy-authentication payloads and the sepcial authentication
> mode??
> If, in contrast, SLA implementation would be required only for
> those providing remote user access, then implementing EAP would be
> a natural thing to require given that EAP is today's most general
> IETF-standarized mechanissm for transporting user (and legacy)
> authentication
> information.
>
> Bottom line: I suggest to
> (a) separate SLA to another document;
> (b) develop IKEv2 and SLA at the same time (i.e. now);
> (c) advance the separate documents for standardization concurrently;
> (d) do NOT make SLA a mandatory mode of IKEv2.