Re: Modefg considered harmful

["Derek Atkins" <derek@ihtfp.com>]

Van Aken Dirk <VanAkenD@thmulti.com> writes:

> Hi Dereck ;-)

Close, but no cigar.  Try agian..

> BTW, after 20 years of BOOTP/DHCP new options are still being defined due to
> the ever changing network environment. Why would this not be the case for
> IKEModeCfg ?

I'm not necessarily arguing for IKEModeCfg.  I'm arguing that IKE
needs to be involved in the configuration process.  I have no qualms
with tunelling DHCP via IKE.  I.e., the IKE daemon on the road-warrior
has a DHCP client, and the IKE daemon the gateway has a DHCP server or
relay, and the DHCP messages are forwarded under the protection of the
IKE phase-1.

I'm just saying that you SHOULD NOT create an ESP tunnel for DHCP and
then just use the results, because there is no binding of the IKE
Phase-1 address to the results of the DHCP.

The one argument I have heard about why ModeCfg is better is that it
is bounded.  Necessarily because it is only negotiating an IP address
it can always complete in two messages.  Can you guarantee that DHCP
will always complete in two messages?  in four?

Similarly, I see nothing wrong with ModeCfg just configuring the IP
Address, and then using DHCP to obtain all the other configuration
once the network is up.  Indeed, modecfg could even provide the dhcp
address ;)

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com