[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Modefg considered harmful



-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Scott" == Scott G Kelly <scott@bstormnetworks.com> writes:
    Scott> Hi Michael,

    Scott> Michael Richardson wrote:
    Scott> <trimmed...> 
    >> -----BEGIN PGP SIGNED MESSAGE-----
    >> 
    >> The only reason to carry the DHCP over the IPsec SA is because you've
    >> figured out a way to *reuse* an existing DHCP client implementation.  I want
    >> to hear from multiple people who implemented this that they were actually
    >> able to preserve the DHCP client code.

    Scott> Or (perhaps more importantly), you've figured out a way to reuse the
    Scott> existing DHCP *infrastructure*. Modifications of some sort must be made
    Scott> at the client end either way, whether you transport things over IKE or
    Scott> over IP/IPsec. You either have to have some concept of virtual interface

  Well, if we agree on this, then we should avoid having to change both IKE
and IPsec.

    Scott> which is bound to the tunnel via routing mechanics, or you have to come
    Scott> up with some other sort of mechanism. Arguably, running dhcp over ike
    Scott> requires more hacking than running it over IPsec.

  No, it requires that you change both IPsec (to introduce these changeable
selectors, or to make it have a virtual interface, or to permit a 0/0<->0/0
tunnel) and IKE. Remember that you have to do this at the gateway as well.

  I can see implementing DHCP-over-IKE, or modecfg without any changes to IPsec.

    Scott> And running DHCP over IPsec allows us to minimize the interaction with
    Scott> IPsec and IKE.

  I don't see how this follows. It only is true if you have an existing
virtual interface, which already pretends to be an ethernet, and already runs
a dhcp client. I.e. you are a bump-in-the-stack-of-windows.

    >> I do not see how carrying this info over an IPsec SA is at all workable for
    >> implementations that have IPsec in the stack. In the case of the KAME
    >> implementation, for instance, there isn't even a virtual interface on which
    >> you could run the dhclient on.

    Scott> I don't see the relevance - seems like if this is the case, it is the
    Scott> consequence of a kame implementation decision.

  RFC2401 does not require virtual interfaces. DHCP-over-IPsec-SA requires them.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPjq/TIqHRg3pndX9AQFWFAQA5D/bHRjVH8fNvZ7sedXFiqgcm//0iX6i
e0Cw4uzbzcLtaM7YzALV/vHerKkJPDg2534KdmV+igFdF1/Wm2HD4eeNX0Tsqbz4
x0QlmqcALtrfNmxE6mP1bNs4905ma3QL4vAUJ8D2q7YVYDaD1P9qR0XisEoZecV5
k4a8I/VsTZ8=
=q/lI
-----END PGP SIGNATURE-----