[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Configuration of mobile users
-----BEGIN PGP SIGNED MESSAGE-----
I've just re-read draft-ietf-ipsec-dhcp-01.txt and
draft-ietf-ipsec-isakmp-mode-cfg-04.txt.
To compare/contrast, I think the major advantage of isakmp-mode-cfg
is that one doesn't burn entropy from the DH making an IPsec SA that
is only used for three or four packets. Secondly, it isn't clear that
all "VPN" SAs will necessarily have selectors that permit the DHCP
traffic.
The major advantage of ipsec-dhcp is that it reuses existing
protocol definitions, infra-structure, and DHCP has a clear mechanism
for extensions.
I would like to suggest a compromise/hybrid solution: let's define a
payload/exchange type which carries DHCP payloads within ISAKMP.
This has all the advantages of isakmp-mode-cfg:
1. no seperate SA
2. the ISAKMP learns about the parameters directly
The speaker on Monday from Microsoft (Bernard I think) expressed the
belief that many of the PPP configuration options should have been
done via a DHCP Inform. I'm not qualified to agree or disagree with
this statement, but if true, would tend to support using DHCP.
In addition, DHCP leases need to be renewed periodically. This
provides a *NATURAL* keep alive message for road warriors. Further,
DHCP says specific things about what a host is supposed to do as it
shuts down wrt sending out DHCP releases.
] Why doesn't my notebook fit on the food tray on this flight? | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQBVAwUBNvCGiB4XQavxnHg9AQGjvAH8C/6rjsvSkQH0OTg+mxdaZVF4VgH5K9ET
uOlHer65T3X4tHcr29wm5fMgwCzrYGB89zlXT1Ni79PV9AvVvCJnGA==
=nWG8
-----END PGP SIGNATURE-----
Follow-Ups: