[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload
>In some radius servers that will happen. On the other hand you can
>configure the radius server to allow responding to the configuration
>requests before authentication if needed.
There's some danger involved in having the IKE daemon blindly forward DHCP
packets from the peer onto the protected network, particularly if the DHCP
happens *before* the user is authenticated. If there is a known exploit on
the DHCP server then the DHCP packet could install a trojan. Also, the DHCP
forwarding policy creates an extra channel for a pre-existing trojan on the
protected network to communicate with arbitrary peers (not that there's
likely to be any shortage of those).
Andrew
--------------------------------------
The odd thing about fairness is when
we strive so hard to be equitable
that we forget to be correct.
_________________________________________________________________