[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Remote access configuration requirements (was Re: User-level Authentication Mechanisms for IPsec)

Ari Huttunen wrote:
> "Scott G. Kelly" wrote:
> > Here are the attributes in the current rev if the isacfg draft:
> I haven't really followed those groups. Could you perhaps provide
> some pointers to those requirements? Thanks.

I intend to honor Ted's request, at least for the time being, and not
engage in the flamewar on these topics pending a discussion of
requirements. To begin with, see the following, extracted from the
references of the ipsec-dhcp draft:

[3]  Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March

[4]  McGregor, G., "The PPP Internet Protocol Control Protocol (IPCP)",
     RFC 1332, May 1992.

[5]  Alexander, S., Droms, R., "DHCP Options and BOOTP Vendor
     Extensions", RFC 2132, March 1997.

[6]  Droms, R., Arbaugh, W., "Authentication for DHCP Messages",
     Internet draft (work in progress), draft-ietf-dhc-
     authentication-11.txt, June 1999.

[7]  Cobb, S., "PPP Internet Protocol Control Protocol Extensions for
     Name Server Addresses", RFC 1877, December 1995.

[8]  Droms, R., Kinnear, K., Stapp, M., Volz, B., Gonczi, S., Rabil, G.,
     Dooley, M., Kapur, A., "DHCP Failover Protocol", Internet draft
     (work in progress), draft-ietf-dhc-failover-04.txt, June 1999.

Then, take a look at various working group mailing list archives dating
back 5 years or more for dhcp, ipcp, ppp, etc. to see the flame wars
that led to the current state of affairs.  Bernard Aboba, one of the
editors of the ipsec-dhcp draft, participated in those discussions, and
chose at that time to take an approach similar to that of isacfg. After
seeing the results, he has emerged with some experience and wisdom, and
is recommending dhcp.

Take a look at the number of dhcp options. The option field only permits
255, so DHCPINFORM was added to RFC 2131 for the explicit purpose of
allowing dialup to leverage DHCP rather than going down the (heavily
criticized) road of RFC 1877. Think about it - these options document
the requirements of hosts which use dynamic configuration. When you
assign a virtual address to a remote access host (an address from the
internal network), for all intent and purpose the host is on the
internal network. The majority of the dhcp options are used to provision
such hosts with required infrastructure information.

I will resist the urge to discuss where this functionality should reside
(for the moment), and instead invite others to provide alternative
viewpoints specifically relating to remote access configuration