In message <48A28DAA-31BC-11D9-ACC4-000A957650EC@shagadelic.org>,
Jason Thorpe writes:

[...]
>Heh, RFC :-)  At this point, the GSS-API-for-IKE spec is an *expired* 
>Internet Draft.
>
>I haven't had a chance to keep up with the ipsec-wg much lately, but I 
>don't know how much interest they even have in IKE anymore.

Very active. I understand IKEv2 and related documents are either in
the RFC editor's queue; or awaiting, or very near, last-call [so the
inter-RFC references in all the new IKEv2-related RFCs all correctly
cite the new RFCs at time of issue.]

OTOH, IMO, the WG participants are often decidedly VPN-centric and
security-gateway/tunnel-mode oriented, whereas my usage of (and
interests in) IPsec are oriented to trust domains much, much smaller
than an entire organization or campus; and thus toward transport-mode
IPsec. YMMV. I also acknowledge the dominant view reflects the current
marketplace.

(Just for myself, I find that gssapi/KRB5-auth IPsec works
wonderfully, for transport-mode IPse,c in the deployments I'm most
interested in, provided there's already a KRB5 KDC or enterprise-wide
Microsoft domain to piggyback off. The latter does require MS
domain-join code. It's no accident we have the necessary krb5-lib
extensions present in the NetBSD 2.0 branch.)