RE: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload

["Darren Dukes" <ddukes@cisco.com>]

> >   Tero also argues that if you are using Radius with EAP, that
> your round
> > trip count is already larger than 4, so DHCP does not add to it.
>
> Yea, sure, but is that necessarily that "common case" when using IKE
> Configuration?  In other words, do we expect that IKE Configuration
> will be used simultaneously with EAP the vast majority of the time?
> Or do we think that it will be used just as often with other forms of
> authentication, like RSA certs?
>
> On another note, can you even start the configuration process before
> EAP finishes?  I'm not convinced you can run it concurrently with EAP,
> which implies that the extra messages from EAP and then DHCP would
> have to be serialized, making the exchange even longer!  I say this
> because I don't see how a server can respond with a DHCPOFFER until
> the client has authenticated (e.g. EAP finished).
>
> Am I missing something?

Nope, you are correct.  DHCP should be done after EAP, the same as CP is
done after/with the last EAP message.  I think implementations could get
clever and block DHCPREQUESTs until after the client authenticates, but it
seems simpler to require the client side to start the DHCP-over-IKE exchange
after EAP completes and the client is authenticated.

Darren

>
> -derek
>
> --
>        Derek Atkins
>        Computer and Internet Security Consultant
>        derek@ihtfp.com             www.ihtfp.com