[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload

To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Subject: Re: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload
From: Derek Atkins <derek@ihtfp.com>
Date: 15 Apr 2003 12:36:11 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <200304112152.h3BLq5ux021015@marajade.sandelman.ottawa.on.ca>
References: <200304112152.h3BLq5ux021015@marajade.sandelman.ottawa.on.ca>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1

Michael Richardson <mcr@sandelman.ottawa.on.ca> writes:

> >>>>> "Derek" == Derek Atkins <derek@ihtfp.com> writes:
>     Derek> issues point at one towards the other.  I think Config Payload
>     Derek> wins on performance, and DHCP-over-IKE wins on extensibility.
>     Derek> DHCP certainly wins in terms of using end-to-end DHCP
>     Derek> authentication, but that implies the use of a DHCP infrastructure.
> 
>   The use of DHCP syntax on the wire does not imply that a DHCP
> infrastructure must exist.

The converse is just as true.. Not using DHCP syntax on the wire dos
not imply that a DHCP cannot exist....  It's all just a translation
issue at the security gateway -- a gateway which must be involved in
the configuration path anyways in order to read the address and set
traffic selectors.

>   If you want to build a self-contained gateway box that manages its own
> address pool (on the box irself), then you can do that.
>   If you want to translate to other infrasture (radius), Tero has documented
> how to do that. 

Sure, but it works in reverse, too -- the IKE Daemon on the security
gateway needs to be able to translate from whatever Foo-over-IKE we
choose to whatever actual configuration protocols are in use.  So
what?  It's no easier to implement a DHCP to RADIUS converter as it is
to implement a CP to RADIUS converter.

Similarly, are there actual DHCP libraries available?  The ISC DHCP
software certainly doesn't install "libdhcp" anywhere on my system.
Are there other DHCP client libraries that are available, so IKE
implementors don't need to implement DHCP as well as IKE?

>   Tero also argues that if you are using Radius with EAP, that your round
> trip count is already larger than 4, so DHCP does not add to it.

Yea, sure, but is that necessarily that "common case" when using IKE
Configuration?  In other words, do we expect that IKE Configuration
will be used simultaneously with EAP the vast majority of the time?
Or do we think that it will be used just as often with other forms of
authentication, like RSA certs?

On another note, can you even start the configuration process before
EAP finishes?  I'm not convinced you can run it concurrently with EAP,
which implies that the extra messages from EAP and then DHCP would
have to be serialized, making the exchange even longer!  I say this
because I don't see how a server can respond with a DHCPOFFER until
the client has authenticated (e.g. EAP finished).

Am I missing something?

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com

Follow-Ups:
- RE: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload
  - From: "Darren Dukes" <ddukes@cisco.com>

References:
- Re: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: (in)security of ESP with header compression
Next by Date: Re: [rohc] FW: ESP and header compression (ROHC)
Prev by thread: Re: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload
Next by thread: RE: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload
Index(es):
- Date
- Thread