Re: l2tp as ipsra solution

["Steven M. Bellovin" <smb@xxxxxxxxxxxxxxxx>]

In message <003d01bfd6da$94762ad0$d23e788a@xxxxxxxxxxxxxxxxxxxxxxxxx>, "Andrew 
Krywaniuk" writes:
>> This is absolute nonsense.  How can you say that encouraging people to
>> continue using their obsolete password-based systems is "encouraging"
>> migration to PKI?
>
>Good point. This is a red herring. Any *decent* implementation of a system
>that allows people to continue using password-based authentication via the
>use of temporary certificates WILL HIDE THIS IMPLEMENTATION DETAIL FROM THE
>USER.
>
>How this provides a migration path to PKI is beyond me! Besides, I have
>noticed that any project that exists primarily for the purpose of providing
>a migration path never gets completed. I wonder why.

It's a migration path because the underlying IKE software is completely 
certificate-based.  Users can convert one at a time; the over-the-wire 
IKE and the servers don't have to be touched when you start using 
PKI-based permanent certificates.  Furthermore, once all of your users 
have converted, you can delete the old software and be left with no 
vestigal pieces of code.

By contrast, solutions that involve changes to IKE require specialized 
code and specialized protocols.  This sort of thing will never vanish.


		--Steve Bellovin