[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: L2TP is ipsra solution (?)

To: "CHINNA N.R. PELLACURU" <pcn@xxxxxxxxx>
Subject: Re: L2TP is ipsra solution (?)
From: Hugo Krawczyk <hugo@xxxxxxxxxxxxxxxxx>
Date: Sun, 25 Jun 2000 13:48:19 +0300 (IDT)
Cc: ietf-ipsra@xxxxxxxx
In-reply-to: <>
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

On Fri, 23 Jun 2000, CHINNA N.R. PELLACURU wrote:

> On Fri, 23 Jun 2000, Hugo Krawczyk wrote:
> 
> > 
> > On Thu, 22 Jun 2000, CHINNA N.R. PELLACURU wrote:
> > 
> > > Since I did not get much response to my questions requiring clarifications
> > > of ipsra requirements, I take the liberty to guess them, based on the fact
> > > that PIC was acceptable to the requirements.
> > > 
> > > If PIC was acceptable to the ipsra requirements, then I beleive L2TP/IPSec
> > > meets those requirements too, and infact I beleive L2TP/IPSec is a better
> > > way of meeting those requirements than PIC.
> > 
> > My understanding is the following:
> > 
> > >From the charter and discussions in the list there seem to be
> > two ipsra requirements that most people agree with:
> > 
> > 1. Do not change IKE
> > 2. Solutions based on legacy-user-authentication-ONLY MUST be provided.
> 
> Thankyou for clarifying them. I wasn't fortunate enough to get any
> clarifications for my questions.

Sorry, I have the feeling that you are not listening.
The clarifications are there, you just DON'T WANT to get them.

Most answers to the issues you raise are included in previous messages
sent to the list and in the one I sent a few minutes ago.

As for the comparison between the strength of authentication provided by l2tp
vs PIC I prefer to leave any detailed explanations (if still required)
to after we agree on the basic requirements discussed in my previous note.
In any case, for the record, let me say that the comparative analysis you
made is wrong. There is no such authentication-strength advantage to the
l2tp solution.

But I do agree with you (and I said that myself) that the getcert/PIC 
solutions have a performance cost especially regarding the number 
of authentication messages exchanged before an ipsec SA is established.
This cost comes from two properties that people like:
(1) do not change IKE 
and 
(2) provide a clean deployment path towards user-certs. 

It is up to the WG to decide on the trade-offs...

Hugo

Follow-Ups:
- Re: L2TP is ipsra solution (?)
  - From: CHINNA N.R. PELLACURU

References:
- Re: L2TP is ipsra solution (?)
  - From: CHINNA N.R. PELLACURU

Prev by Date: Re: On ipsra authentication options
Next by Date: Re: On ipsra authentication options
Previous by thread: Re: L2TP is ipsra solution (?)
Next by thread: Re: L2TP is ipsra solution (?)
Index(es):
- Date
- Thread