[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload
Personally, I dont have a strong opionion on DHCP-over-IKE vs.
Configuration Payload. Both provide the necesaary security hooks I
think need to be there, so it's mostly a syntactic, performance, and
extensibility issue, rather than a major semantic issue.
The question is whether the syntax, performance, and extensibility
issues point at one towards the other. I think Config Payload wins on
performance, and DHCP-over-IKE wins on extensibility. DHCP certainly
wins in terms of using end-to-end DHCP authentication, but that
implies the use of a DHCP infrastructure. If the Security Gateway
backend is using something other than DHCP then it's probably more
work to use DHCP... I think it's probably a toss-up over syntax ;)
Ted, I'm sorry this doesn't help add weight to one side or the other.
I'm just as happy with flip-a-coin...
-derek
"Theodore Ts'o" <tytso@MIT.EDU> writes:
> Darren, thanks for your good summary of the pros versus cons of DHCP
> over IKE vs. Configuration Payload. Only one thing was missing: your
> weighing on which proposal you think is superior. :-)
>
> To the rest of the list, the amount of comments on this item has been
> extremely underwhelming. Barbara and I would like to call on
> supporters of the two proposals to send their comments to the list
> ASAP. We note that in San Francisco the wg had decided that in the
> absence of strong support, the default would be to stay with the
> existing text in the ikev2 document (Configuration Payload).
>
> - Ted
--
Derek Atkins
Computer and Internet Security Consultant
derek@ihtfp.com www.ihtfp.com