[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Modefg considered harmful
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Scott" == Scott G Kelly <scott@bstormnetworks.com> writes:
Scott> Hi Michael,
Scott> Michael Richardson wrote:
Scott> <trimmed...>
>> -----BEGIN PGP SIGNED MESSAGE-----
>>
>> The only reason to carry the DHCP over the IPsec SA is because you've
>> figured out a way to *reuse* an existing DHCP client implementation. I want
>> to hear from multiple people who implemented this that they were actually
>> able to preserve the DHCP client code.
Scott> Or (perhaps more importantly), you've figured out a way to reuse the
Scott> existing DHCP *infrastructure*. Modifications of some sort must be made
Scott> at the client end either way, whether you transport things over IKE or
Scott> over IP/IPsec. You either have to have some concept of virtual interface
Well, if we agree on this, then we should avoid having to change both IKE
and IPsec.
Scott> which is bound to the tunnel via routing mechanics, or you have to come
Scott> up with some other sort of mechanism. Arguably, running dhcp over ike
Scott> requires more hacking than running it over IPsec.
No, it requires that you change both IPsec (to introduce these changeable
selectors, or to make it have a virtual interface, or to permit a 0/0<->0/0
tunnel) and IKE. Remember that you have to do this at the gateway as well.
I can see implementing DHCP-over-IKE, or modecfg without any changes to IPsec.
Scott> And running DHCP over IPsec allows us to minimize the interaction with
Scott> IPsec and IKE.
I don't see how this follows. It only is true if you have an existing
virtual interface, which already pretends to be an ethernet, and already runs
a dhcp client. I.e. you are a bump-in-the-stack-of-windows.
>> I do not see how carrying this info over an IPsec SA is at all workable for
>> implementations that have IPsec in the stack. In the case of the KAME
>> implementation, for instance, there isn't even a virtual interface on which
>> you could run the dhclient on.
Scott> I don't see the relevance - seems like if this is the case, it is the
Scott> consequence of a kame implementation decision.
RFC2401 does not require virtual interfaces. DHCP-over-IPsec-SA requires them.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBPjq/TIqHRg3pndX9AQFWFAQA5D/bHRjVH8fNvZ7sedXFiqgcm//0iX6i
e0Cw4uzbzcLtaM7YzALV/vHerKkJPDg2534KdmV+igFdF1/Wm2HD4eeNX0Tsqbz4
x0QlmqcALtrfNmxE6mP1bNs4905ma3QL4vAUJ8D2q7YVYDaD1P9qR0XisEoZecV5
k4a8I/VsTZ8=
=q/lI
-----END PGP SIGNATURE-----