[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Modefg considered harmful



Hi Michael,

Michael Richardson wrote:
<trimmed...> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
>   The only reason to carry the DHCP over the IPsec SA is because you've
> figured out a way to *reuse* an existing DHCP client implementation.  I want
> to hear from multiple people who implemented this that they were actually
> able to preserve the DHCP client code.

Or (perhaps more importantly), you've figured out a way to reuse the
existing DHCP *infrastructure*. Modifications of some sort must be made
at the client end either way, whether you transport things over IKE or
over IP/IPsec. You either have to have some concept of virtual interface
which is bound to the tunnel via routing mechanics, or you have to come
up with some other sort of mechanism. Arguably, running dhcp over ike
requires more hacking than running it over IPsec.

And running DHCP over IPsec allows us to minimize the interaction with
IPsec and IKE.

>   I do not see how carrying this info over an IPsec SA is at all workable for
> implementations that have IPsec in the stack. In the case of the KAME
> implementation, for instance, there isn't even a virtual interface on which
> you could run the dhclient on.

I don't see the relevance - seems like if this is the case, it is the
consequence of a kame implementation decision.

>   The kludge, to me, is using an IPsec SA at all for this.
>   I think that the DHCP payload should be encapsulated in IKE.

I guess we disagree on this point.

Scott