Re: Tunnel Set-up requirements: Issue to be resolved

[Erik Nordmark <Erik.Nordmark@sun.com>]

> IMHO a protocol doing this MUST not rely on an external mechanism.

But later you say that referring to a website for registration is ok.
Perhaps we mean different things by "external mechanism".

I think it is find to have the tunnel set-up return a
"please register at www.example.com/register" as you suggest,
and that is what I call "external".

So I suspect we agree on this point.

I don't know if the "direct" is that useful. You effectively end
up carrying a subset of html when you do this; it is simpler just
to refer to a URL.
(And there might non-technical reasons for an ISP wanting a URL for
registration; they can have banner ads for their ADSL service etc.)

One question:
For the [registered user, aka one with an account] you are describing
something that looks like a full authentication exchange, which opens
up the door to questions like "are we encapsulating EAP over the tunnel
setup protocol? or SASL?".

Do you see this strong authentication as a requirement?
Or do you think it is sufficient to have the registration result in
some "key/tag" where presenting that key/tag in the clear in the tunnel setup
protocol is sufficient?

   Erik