[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Modefg considered harmful
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Scott" == Scott G Kelly <scott@bstormnetworks.com> writes:
Scott> Darren Dukes wrote:
>>
>> I think any mature implementations that will be trying to use DHCP for
>> complete configuration of the ipsec client (beyond network addresses, as is
>> possible with modecfg today) will need to implement their own DHCP client
>> and server in order to include their user-specific ipsec-VPN configuration.
>> So what we'll end up with is as follows.
>>
>> OS-DHCP-client(optional) <-> ipsec-DHCP-client <TUNNEL> SGW-DHCP-server
>>
>> Reusing the OS DHCP client (if possible at all) will not give enough
>> flexibility.
Scott> What ipsec-vpn configuration are you referring to? DHCP permits
Scott> configuration of (at least) the following:
No, you are missing the point.
The problem is that you have to filter certain things out, include other things.
Scott> o Subnet mask(s)
Scott> o Broadcast address(es)
Might screw things up.
Scott> o Time offset
probably wrong, take the one from the real IP, which likely is
geographically correct.
Scott> o Router(s)
Probably wrong.
You may also have to make sure that you take the DNS server from the
tunnel, so you get internal addresses. This needs to *override* the one from
both PPP and the DHCP on the real wire.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBPjsET4qHRg3pndX9AQFVdQP/fUOob1TNGRkKZ6HM692pLeLEG25Q9I7I
Kcfcn9v0sknaznhmJCtP4Tw2oNCoegMexrBIx8XqNnJSZ8z3SU32/81N7Sa/sUBW
93GEZmDs1/P08ENBmBZ4kAkpvrzoaBd+9s5vICaSMsGsQNXbS1SrgsG/HRrxl8PJ
u2SO5g7kQMk=
=iTXs
-----END PGP SIGNATURE-----