RE: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload

[Gregory Lebovitz <Gregory@netscreen.com>]

> -----Original Message-----
> From: Charlie_Kaufman@notesdev.ibm.com
> [mailto:Charlie_Kaufman@notesdev.ibm.com]
> Sent: Sunday, April 13, 2003 7:19 PM
> To: Theodore Ts'o
> Cc: ipsec@lists.tislabs.com; owner-ipsec@lists.tislabs.com
> Subject: Re: CALL FOR DISCUSSION: DHCP over IKE vs 
> Configuration Payload
> 
--SNIP--
> 
> Having read Tero's DHCP over IKE proposal, I continue to 
> believe that while
> either DHCP or CP could be made to work that CP is the better 
> choice for
> reasons of simplicity. (If I were king, I'd pick a protocol that was
> simpler than either).

for example? But then again, its too late for that ;-)
 
> Tero's proposal describes how to deal with all these cases, but it's
> awkward.

agreed. Though CP isn't too much less awkward, we are all just more used to
it since we all implemented it already (or dang close to it) for IKEv1
ModeCFG.
 
> When the IKE responder is allocating addresses out of its own pool or
> getting them using RADIUS, it appears to me that processing 
> would be more
> complex translating them to DHCP than translating them to CP. 

also agreed. But that's because CP was sort of designed for more with RADIUS
in mind than DHCP. Is that right, Darren?

> My intuition
> is that having the IKE responder lease addresses from its own 
> pool will be
> the common case, since if the address is acquired from 
> elsewhere the IKE
> responder will have to take some action to get traffic to the 
> allocated
> address routed to it (most likely by responding to ARPs).

Usually the whole pool and the routes to it are already entered in the
internal network's routing infrastructure. This is not an issue in all the
networks I've seen.

Gregory.