[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Configuration of mobile users

To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Subject: Re: Configuration of mobile users
From: Shawn Mamros <smamros@nortelnetworks.com>
Date: Fri, 19 Mar 1999 10:45:46 -0500
Cc: ipsec@tislabs.com, ietf-ipsra@vpnc.org
Sender: owner-ipsec@lists.tislabs.com

First, a question: Am I correct in assuming that ietf-ipsra@vpnc.org
is the mailing list for the IP Security Remote Access BOF?  If so,
how does one subscribe, and is there an archive?  Sorry if this info
was posted sooner here, but I missed it (and I wasn't able to make the
meeting in Minneapolis).

>  I would like to suggest a compromise/hybrid solution: let's define a
>payload/exchange type which carries DHCP payloads within ISAKMP.
>
>  This has all the advantages of isakmp-mode-cfg: 
>        1. no seperate SA
>        2. the ISAKMP learns about the parameters directly

If DHCP is to be used (and there are certainly advantages to doing so),
then this hybrid makes the most sense to me.  Doing a separate SA has
a lot of other problems besides the overhead, not the least of which
is the selectors/Quick Mode client IDs one would have to allow and use.
(To get the client's initial request to the server, you'd have to allow
tunnel traffic from 0.0.0.0 to 255.255.255.255; then to get the DHCP
server's response back, if you were to stick to the rules, you'd need
*another* SA pair from the DHCP server's address to the client's newly
assigned one.  Not a pretty picture...)

Keep in mind, though, that DHCP is inherently IPv4-only; there are fixed
length four octet fields in the header for IP addresses.  There is a
draft for a DHCP for IPv6, which I haven't looked at in a while, but the
last I knew of it, the message format and even most/all of the protocol
exchanges were radically different from DHCPv4.

>  The speaker on Monday from Microsoft (Bernard I think) expressed the
>belief that many of the PPP configuration options should have been
>done via a DHCP Inform. I'm not qualified to agree or disagree with
>this statement, but if true, would tend to support using DHCP.

At the time PPP was being done, the DHCPINFORM message didn't exist.
That one's a fairly recent invention, which was added when DHCP was
rev'd up to Draft Standard in RFC 2131.  Even if that weren't the case,
DHCP's large header size (236 octets, inherited from BOOTP) wouldn't be
a good thing for a serial line environment, where every byte adds latency.

>  In addition, DHCP leases need to be renewed periodically. This
>provides a *NATURAL* keep alive message for road warriors. Further,
>DHCP says specific things about what a host is supposed to do as it
>shuts down wrt sending out DHCP releases.

Lease times only apply when DHCP is used for address acquisition.  If one
already has an address and goes the DHCPINFORM route, it really won't
make an effective keepalive, at least not from the IPSec gateway server's
perspective.

-Shawn Mamros (who did a lot of DHCP work in a prior lifetime...)
E-mail to: smamros@nortelnetworks.com


------------- End Forwarded Message -------------

Prev by Date: Re: policy expressive power in IPSec-VPN policy draft
Next by Date: Active/dead Internet Drafts
Prev by thread: concerns regarding work load
Next by thread: Active/dead Internet Drafts
Index(es):
- Main
- Thread