[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Modefg considered harmful

To: "Cheryl Madson" <cmadson@cisco.com>, "Michael Richardson" <mcr@sandelman.ottawa.on.ca>
Subject: RE: Modefg considered harmful
From: "Darren Dukes" <ddukes@cisco.com>
Date: Fri, 31 Jan 2003 16:27:13 -0500
Cc: <ipsec@lists.tislabs.com>
Importance: Normal
In-reply-to: <4.3.2.7.2.20030130170851.04908778@mira-sjcm-4.cisco.com>
Reply-To: <ddukes@cisco.com>
Sender: owner-ipsec@lists.tislabs.com



> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Cheryl Madson
> Sent: Thursday, January 30, 2003 8:32 PM
> To: Michael Richardson
> Cc: ipsec@lists.tislabs.com
> Subject: Re: Modefg considered harmful
>
>
> At 05:00 PM 1/30/2003, Michael Richardson wrote:
> >-----BEGIN PGP SIGNED MESSAGE-----
> >
> >
> > >>>>> "Bernard" == Bernard Aboba <aboba@internaut.com> writes:
> >     Bernard> OK, I'll speak up.
> >
> >     Bernard> One of the major requirements for IPSRA in
> choosing DHCP-based
> >     Bernard> configuration was so that we could move towards a single
> >     Bernard> configuration model for both real and virtual
> interfaces -- and
> >
> >   Bernard, I support your reasoning for using DHCP.
> >   (I'd rather that we used DHCPv6 rather than RS/RA. Since DHCP is a lot
> >easier to secure and extend than RS/RA. But that is a different argument)
> >
> >   I still do not understand why creating a ephemeral IPsec SA
> to carry the
> >DHCP traffic makes sense. I don't see that it is any easier for
> >bump-in-the-stack implementations, nor do I see it easier for in-stack
> >implementations.
>
> I've always contended that for IKEv1 that *both* modecfg and DHCP
> had the same underlying issue -- an introduction of a "special" state
> into the protocol processing (either somewhat explicitly via "phase 1.5"
> or implicitly via the "special phase 2 which if it happens has to happen
> before any other phase 2").

In IKEv2 there is no phase 1.5, either the CP is there and an address is
being requested or not.

>
> In other words, I have always hated both proposals, basically as it
> assumed that via some <unspecified> miracle both sides would
> correctly figure out that this special phase had to happen and not
> jump ahead in the state machine.
>
> IMO we can do better with IKEv2. I don't have much opinion one way
> or the other about encoding, but we need to explicitly spell it out in
> any state machine. I don't care in terms of encoding one way or the
> other, but this lack of determinism has to be addressed.
>
> thx - C
>
>
> >]       ON HUMILITY: to err is human. To moo,
> >bovine.           |  firewalls  [
> >]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net
> >architect[
> >] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device
> >driver[
> >] panic("Just another Debian GNU/Linux using, kernel hacking, security
> >guy"); [
> >-----BEGIN PGP SIGNATURE-----
> >Version: GnuPG v1.0.7 (GNU/Linux)
> >Comment: Finger me for keys
> >
> >iQCVAwUBPjnKuIqHRg3pndX9AQEGywP/dRrtuNSBHGPVgiBFLYhSA1asUiFQYjZW
> >xGu+b/+48x/t0HwhxthBInXiqT1qWwHXf9TxuxK1RPEdpF4+A/bayl7W+bB+UH8q
> >4q12R+yQkVLvxprJU8VWRxc+Wduzphw9XukDj1gZrIg7MujAIe/YMArJP4LzH8b5
> >Sk1+sVLVoNE=
> >=rha4
> >-----END PGP SIGNATURE-----
>
>
> ====================================
> Cheryl Madson
> Core IP Engineering; Security and Services
> Cisco Systems, Inc.
> cmadson@cisco.com
>

Prev by Date: RE: Modefg considered harmful
Next by Date: Re: Revised identity, again
Prev by thread: RE: Modefg considered harmful
Next by thread: Re: Ciphersuites for IKEv2, revised
Index(es):
- Date
- Thread