[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Modefg considered harmful
> -----Original Message-----
> From: Bill Sommerfeld [mailto:sommerfeld@east.sun.com]
> Sent: Wednesday, February 05, 2003 12:44 PM
> To: Marcus Leech
> Cc: ipsec@lists.tislabs.com
> Subject: Re: Modefg considered harmful
>
>
> > Me too, but there was this issue of the large installed base of
> > MODECFG-like things in existing implementations. Since I'm not
> > an implementor, I'm in the situation where I have to believe that
> > moving away from a MODECFG-like thing is a hardship.
>
> Except that you probably *already* have a DHCP implementation already!
>
> I believe the correct comparison is the complexity of MODECFG vs the
> "DHCP to IPsec glue" code; the latter is likely to be significantly
> smaller than the former.
>
The comparison probably is not fair. Since most have MODE-CFG in their
implementation, Most vendors probably have both MODECFG & DHCP codes.
So the comparison is the complexity of adapt MODECFG to IKEv2 vs "DHCP to
IPsec glue" code. The latter is much more complex and harder to get
interoperable.
> > *If* it's acceptablet to discount such claimed hardship,
> then I have to
> > agree with Bernards assertion that the IPSRA-style DHCP
> approach is
> > cleaner, more flexible, and in the long-term, less work.
>
> indeed.
>
> - Bill
>
>
=======================
Michael Shieh