Re: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload

[Derek Atkins <derek@ihtfp.com>]

Personally, I dont have a strong opionion on DHCP-over-IKE vs.
Configuration Payload.  Both provide the necesaary security hooks I
think need to be there, so it's mostly a syntactic, performance, and
extensibility issue, rather than a major semantic issue.

The question is whether the syntax, performance, and extensibility
issues point at one towards the other.  I think Config Payload wins on
performance, and DHCP-over-IKE wins on extensibility.  DHCP certainly
wins in terms of using end-to-end DHCP authentication, but that
implies the use of a DHCP infrastructure.  If the Security Gateway
backend is using something other than DHCP then it's probably more
work to use DHCP... I think it's probably a toss-up over syntax ;)

Ted, I'm sorry this doesn't help add weight to one side or the other.
I'm just as happy with flip-a-coin...

-derek

"Theodore Ts'o" <tytso@MIT.EDU> writes:

> Darren, thanks for your good summary of the pros versus cons of DHCP
> over IKE vs. Configuration Payload.  Only one thing was missing: your
> weighing on which proposal you think is superior.  :-)
> 
> To the rest of the list, the amount of comments on this item has been
> extremely underwhelming.  Barbara and I would like to call on
> supporters of the two proposals to send their comments to the list
> ASAP.  We note that in San Francisco the wg had decided that in the
> absence of strong support, the default would be to stay with the
> existing text in the ikev2 document (Configuration Payload).
> 
> 						- Ted

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com