[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload

To: <ipsec@lists.tislabs.com>
Subject: RE: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload
From: Charlie_Kaufman@notesdev.ibm.com
Date: Mon, 14 Apr 2003 21:02:29 -0400
In-Reply-To: <3E9AE3C9.C7026779@airespace.com>
Sender: owner-ipsec@lists.tislabs.com

Some comments on others' postings:

"Theodore Ts'o" <tytso@mit.edu> wrote:
> We note that in San Francisco the wg had decided that in the
> absence of strong support, the default would be to stay with the
> existing text in the ikev2 document (Configuration Payload).

I'm concerned that in the past such a statement has caused the
people who agree with the current state to ignore the debate but
energize those who disagree. People who care should speak up!

"Scott G. Kelly" <scott@airespace.com> wrote:
> I think Darren's summary is pretty accurate. It's kind of a toss up.
> However, one difference that I note is that with the dhcp approach, all
> client config is (potentially) done prior to the instantiation of the
> child sa. I'm not sure if this is a benefit or not, but it might be.

This will be a blessing in some circumstances and a curse in others.
While doing client config early makes for a simpler boot rom, it
means that a site must be willing to give out client config information
to anonymous requestors (or else place additional requirements on
ordering of authentication messages and state machines within IKE
processing. In most scenarios, I wouldn't expect it to matter.

Michael Thomas <mat@cisco.com> wrote:
> I'm not entirely sure how impolitic this is wrt my
> employer's hive mind, but the thing that really
> tips my feeling about this is that DHCP-in-IKE
> keeps the IPsec wg out of the business of dealing
> with... configuration. That seems like a huge boon
> in my mind from a wheel-reinvention standpoint.
>
> So, mark my preference as DHCP-in-IKE.

There are two ways CP might evolve in the future. CP has
a syntax clearly designed for extensibility, and hence is
an "infection site" for architects who want to add
configuration options in the future in one more
different way. I find that
prospect scary. But it doesn't have to happen. If our
successors show restraint, they will not enhance CP to
include information that could better be sent over DHCP.
DHCP can be effectively tunnelled over ESP, and could (and
should) be used for such extensions. The configuration step
of allocating an IP address is special because it results
in information necessary for configuring the ESP SA. It
therefore can't be done over the ESP SA without significant
kludgery (though someone did make it work with IKEv1).

          --Charlie

Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).

References:
- RE: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload
  - From: "Scott G. Kelly" <scott@airespace.com>

Prev by Date: Re: Interoperability - Overlapping requests
Next by Date: Re: Confirm decision on identity handling.
Prev by thread: RE: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload
Next by thread: RE: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload
Index(es):
- Date
- Thread