[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dhcp/modecfg summary

To: Gregory Lebovitz <Gregory@netscreen.com>
Subject: Re: dhcp/modecfg summary
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Fri, 07 Feb 2003 19:35:23 -0500
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of "Thu, 06 Feb 2003 16:57:54 PST." <541402FFDC56DA499E7E13329ABFEA872CE57A@SARATOGA>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Gregory" == Gregory Lebovitz <Gregory@netscreen.com> writes:
    Gregory> I would strongly vote against modefg2 encompassing all DHCP
    Gregory> options natively. I.E. we should not create additional modecfg2
    Gregory> attributes to cover all the things that DHCP does. In fact we do
    Gregory> not need to, right? modecfg2 could be the delivery mechanism for
    Gregory> DHCP options from a DHCP service external to the responder.

  That's what I keep saying!!!

  Just take a DHCP payload, encapsulate it in an IKE phase 1 structure,
and send it. That avoids reinventing all the DHCP stuff, but maintains all of
the simplicity of modecfg.

  BITS can even, if they want, just take the DHCP payload out of the one
that they would normally tunnel through a phase 2 SA. The IKE phase 1 is just
being used as a DHCP relay. At the gateway end, it either becomes a real DHCP
packet to a real DHCP server, or you implement it internally.

    Gregory> We cannot make the above work (Modecfg2 being the conduit for
    Gregory> initial DHCP) with the attributes currently listed in
    Gregory> ikev2-04. We need two more things: the client needs to send
    Gregory> identity for the DHCP server, and we need to explicitly define
    Gregory> the DHCP relay from the responder to DHCP server. Then we can
    Gregory> use existing modecfg2 responses to communicate the IP, DNS,
    Gregory> WINS.

  Yes.

    Gregory> Doesn't that give us the best of both worlds? We get to keep the
    Gregory> ModeCFG formats that most of us already have. And the

  Yes.

  I would be willing to help write this up.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPkRQyYqHRg3pndX9AQHLugQA3x2w9en3wJIRPIyc8Lac1Yu6BPJfj5R0
KoFD4PHb16ISOqrkpe99zCqKEMsOOtkkLOKW2AGMMxF4rSX6Yl22oHTfX+E5U9zl
djjyBN44N4Lj0aJLP6L/3BsYB2SqJBCoVbuoPhsfpKse1qQb4/OUB6z6UkDuyngo
VCb61Z5BKU0=
=lbUQ
-----END PGP SIGNATURE-----

References:
- RE: dhcp/modecfg summary
  - From: Gregory Lebovitz <Gregory@netscreen.com>

Prev by Date: Re: IPsec VPNs incl. modecfg vs. DHCP
Next by Date: Re: dhcp/modecfg summary
Prev by thread: RE: dhcp/modecfg summary
Next by thread: RE: dhcp/modecfg summary
Index(es):
- Date
- Thread