[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Configuration of mobile users


  I've just re-read draft-ietf-ipsec-dhcp-01.txt and

  To compare/contrast, I think the major advantage of isakmp-mode-cfg
is that one doesn't burn entropy from the DH making an IPsec SA that
is only used for three or four packets. Secondly, it isn't clear that
all "VPN" SAs will necessarily have selectors that permit the DHCP

  The major advantage of ipsec-dhcp is that it reuses existing
protocol definitions, infra-structure, and DHCP has a clear mechanism
for extensions. 

  I would like to suggest a compromise/hybrid solution: let's define a
payload/exchange type which carries DHCP payloads within ISAKMP.

  This has all the advantages of isakmp-mode-cfg: 
	1. no seperate SA
	2. the ISAKMP learns about the parameters directly
  The speaker on Monday from Microsoft (Bernard I think) expressed the
belief that many of the PPP configuration options should have been
done via a DHCP Inform. I'm not qualified to agree or disagree with
this statement, but if true, would tend to support using DHCP.

  In addition, DHCP leases need to be renewed periodically. This
provides a *NATURAL* keep alive message for road warriors. Further,
DHCP says specific things about what a host is supposed to do as it
shuts down wrt sending out DHCP releases.

]  Why doesn't my notebook fit on the food tray on this flight? |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface