[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FW: Configuration of mobile users

To: "'ipsec@tis.com'" <ipsec@tislabs.com>
Subject: FW: Configuration of mobile users
From: Ricky Charlet <rcharlet@redcreek.com>
Date: Mon, 22 Mar 1999 10:06:19 -0800
Comments: Originally sent to TIS.COM
Sender: owner-ipsec@lists.tislabs.com

Title: FW: Configuration of mobile users

-----Original Message-----
From: Ricky Charlet
Sent: Monday, March 22, 1999 10:06 AM
To: 'Michael Richardson'
Subject: RE: Configuration of mobile users

Howdy ()

> -----Original Message-----
> From: Michael Richardson [mailto:mcr@sandelman.ottawa.on.ca]
> Sent: Wednesday, March 17, 1999 8:52 PM
> To: ipsec@tislabs.com
> Cc: ietf-ipsra@vpnc.org
> Subject: Configuration of mobile users
>
>
>   I would like to suggest a compromise/hybrid solution: let's define a
> payload/exchange type which carries DHCP payloads within ISAKMP.
>
>   This has all the advantages of isakmp-mode-cfg:
>         1. no seperate SA
>         2. the ISAKMP learns about the parameters directly
>
>

To me, this hybrid seems like the worst of both worlds solution. We don't get to leave the ISAKMP/IKE state machine alone AND we don't get non-IP protocol support.

Let me put up my thoughts on how these two proposals would work out. There probably are gaps and/or flaws in my thinking, and I am sure people on this list can uncover them.

The ISAKMP-config / ISAKMP-Xauth solution requires a new 'phase 1.5' exchange and lets you carry just about any info you want down that protected exchange... in our case we are discussing putting boot-strapping IP configuration information AND/OR proxied external authentication systems challenge/responses into that 'phase 1.5' exchange. Note that the boot strapping IP config info could just as easily have been IPX info or AppleTalk info or .... By the time you get around to building your phase 2 SA, you have loaded bootstrapping config onto the client AND you have authenticated / authorized the client with a mechanism of you choice.

The DHCP draft implies that anyone from 0.0.0.0 255.255.255.255 be allowed to build a phase 2 SA to your authentication server, it is assumed that this SA will be VERY short lived (one to four minutes?). The client is only connected to an authentication/authorization server long enough to get some credentials. Then the client builds a new phase 2 SA to what ever resource the credentials allow. Note that this solution required no new 'phase 1.5' exchange definitions, but it is only ever going to work with IP due to its reliance on DHCP.

###################################
# Ricky Charlet
# rcharlet@RedCreek.com
# (510) 795-6903
###################################
end Howdy;

Ricky

Prev by Date: Re: IKE - ISAKMP/Oakley software.
Next by Date: Re: policy expressive power in IPSec-VPN policy draft
Prev by thread: Active/dead Internet Drafts
Next by thread: textual-conventions MIB I-D available
Index(es):
- Main
- Thread