[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload



>In some radius servers that will happen. On the other hand you can
>configure the radius server to allow responding to the configuration
>requests before authentication if needed.

There's some danger involved in having the IKE daemon blindly forward DHCP 
packets from the peer onto the protected network, particularly if the DHCP 
happens *before* the user is authenticated. If there is a known exploit on 
the DHCP server then the DHCP packet could install a trojan. Also, the DHCP 
forwarding policy creates an extra channel for a pre-existing trojan on the 
protected network to communicate with arbitrary peers (not that there's 
likely to be any shortage of those).

Andrew
--------------------------------------
The odd thing about fairness is when
we strive so hard to be equitable
that we forget to be correct.




_________________________________________________________________