[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Configuration of mobile users

[ NOTICE!  This list will be hosted at lists.tislabs.com as of March 26.
There is no need to resubscribe, if you are on the list, you will remain
on it.  Just begin sending posts, and any administrative requests to
lists.tislabs.com as of now.  List mail to tis.com will cease to be
delivered as of March 26, 1999.  ]

Hash: SHA1

Michael Richardson wrote:
> [..]
>   To compare/contrast, I think the major advantage of
> is that one doesn't burn entropy from the DH making an IPsec SA that
> is only used for three or four packets. Secondly, it isn't clear
> all "VPN" SAs will necessarily have selectors that permit the DHCP
> traffic.
>   The major advantage of ipsec-dhcp is that it reuses existing
> protocol definitions, infra-structure, and DHCP has a clear
> for extensions.

I think the definition of existing is questionable here.  For many
implementations, DHCP "existing" is not the case.  The reality would
likely be a complete reimplementation of DHCP for BITS
implementations.  That's just not going to happen when there aren't
really significant benefits from the DHCP proposal over mode-cfg.

>   I would like to suggest a compromise/hybrid solution: let's define
> payload/exchange type which carries DHCP payloads within ISAKMP.
>   This has all the advantages of isakmp-mode-cfg:
>         1. no seperate SA
>         2. the ISAKMP learns about the parameters directly
>   The speaker on Monday from Microsoft (Bernard I think) expressed
> belief that many of the PPP configuration options should have been
> done via a DHCP Inform. I'm not qualified to agree or disagree with
> this statement, but if true, would tend to support using DHCP.
>   In addition, DHCP leases need to be renewed periodically. This
> provides a *NATURAL* keep alive message for road warriors. Further,
> DHCP says specific things about what a host is supposed to do as it
> shuts down wrt sending out DHCP releases.

I really don't believe what needs to be done is so complex that we
need to drag in other protocols like DHCP.  mode-cfg presents a nice,
coherent method of doing this that can be relatively easily
implemented within the existing IKE implementations that everyone has
now and everyone has access to, and I believe we should focus on that
if there are specific features of the DHCP draft that need to be moved
into mode-cfg *without* moving "DHCP" itself.  Bringing DHCP into the
discussion is ignoring the fact that DHCP might as well not exist for
many implementations.

- --

Will Price, Architect/Sr. Mgr., PGP Client Products
Total Network Security Division
Network Associates, Inc.
Direct  (408)346-5906
Cell/VM (650)533-0399

Version: PGP 6.5b23


Follow-Ups: References: