I wrote: "I prefer draft-sathyanarayan-ipsecme-advpn." Paul asked: " because.... ?"
Oh.
I thought that I wasn't supposed to say why I didn't like other proposals :-)
Okay...
I prefer it because:
1) it lives inside IKE.
2) it deals with the question of distribution of authentication
tokens.
3) it requires no new kernel components, which means that it will
run with *just* a modified IKE daemon on many mobile devices.
Yes, you need root on Android and a jailbreak on iOS to run a modified
IKE, but you don't need a new kernel, and all sorts of other host
specific firmware blobs.
This means that while it might not be end-user-installable, if someone
makes the patches, they can tested, and pushed easily into AOSP,
and maybe Apple would accept them.
4) it is very specific about what "routing" protocol would be the MTI
("IKE"/RFC4301!) , rather than being "well, whatever you like"
5) it permits port-specific policies to be controlled by HQ.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] [email protected] http://www.sandelman.ca/ | ruby on rails [
pgpI_85DjbJ6p.pgp
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
