[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec VPNs incl. modecfg vs. DHCP

To: ipsec@lists.tislabs.com
Subject: Re: IPsec VPNs incl. modecfg vs. DHCP
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Fri, 07 Feb 2003 17:19:20 -0500
In-reply-to: Your message of "Fri, 07 Feb 2003 09:40:12 PST." <89680B404BA1DD419E6D93B28B41899BE9FBBF@01mail.nomadix.com>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "BSingh" == BSingh  <BSingh@Nomadix.com> writes:
    BSingh> - This particular debate of Modecfg vs. DHCP relates only to
    BSingh> remote access scenarios or does it extend to address management
    BSingh> for site-to-site VPNs. I would distinguish the 2 using the

  I'd like to restrict the scope to remote access.

    BSingh> - Is it also possible that in a site-to-site VPN the address
    BSingh> allocation is handled by only one of the private networks
    BSingh> (subnets). i.e.. DHCP is tunneled over to this network from all
    BSingh> other private networks and responses tunneled back? Is it a

  Certainly possible. No new technology needed, just deploy a DHCP relay 
agent on the remote subnet. It doesn't even need to know that there is a VPN.

    BSingh> - Typical IPsec implementations. Most of them are bump in the
    BSingh> stack (software ones).. Am I correct? Does it mean that IP

  No.
  Most non-Microsoft Windows ones have no choice but to be.
  Few dedicated gateway boxes are.

  Solaris, KAME (*BSD), OpenBSD, Microsoft, and Linux 2.5 IPsec are certainly
built in. FreeS/WAN is ... strange. It is BITS on 2.0 kernels, kinda not on
2.2, and only so on 2.4 due to hysterical raisins. 

    BSingh> routing is the only way to direct traffic into the right tunnels? 
    BSingh> i.e. destination address based.  Are their any implementations

  It may well be that some non-BITS can only deal with destination address
issues, but I haven't seen any.
  Often, for BITS it is the case that the destination address trick only
directs the traffic into the IPsec machinery, at which more complicated
decisions can be made in accordance with RFC2401.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPkQw5YqHRg3pndX9AQHRbAP/Z7gL4F/59Q4PJcYkwyRlmDQzWsntjUW9
e5wbpz/AHaeCgb4Srrl8qhDbTX94kpZ1aqGTgH58XqT09vCBOEJLA4vsjwbj5pyR
PbhNZOINPpizEReyJi5K1OUa+05XaXlJhUITiQ+d1XZ/1X2zO2oCzWak0S5ryYL4
+BeeKl1pIwM=
=QHtK
-----END PGP SIGNATURE-----

References:
- IPsec VPNs incl. modecfg vs. DHCP
  - From: BSingh@Nomadix.com

Prev by Date: Re: IPsec VPNs incl. modecfg vs. DHCP
Next by Date: Re: dhcp/modecfg summary
Prev by thread: Re: IPsec VPNs incl. modecfg vs. DHCP
Next by thread: IKEV2: Issue #1: Legacy Authentication
Index(es):
- Date
- Thread