[Openswan Users] FreeSWAN, Wireless Windows 98/ME/2K/XP RoadWarriors, DHCP over IPsec - overview

Michael Richardson mcr at sandelman.ottawa.on.ca
Thu Jun 10 12:58:39 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Jacco" == Jacco de Leeuw <jacco2 at dds.nl> writes:
    >> This *definitely* interests me.  I'll have a look at your iscs
    >> website and look through those DHCP-over-IPsec configurations.

    Jacco> Sorry for playing devil's advocate, but isn't DHCP-over-IPsec
    Jacco> only supported by SSH Sentinel, which has now been
    Jacco> discontinued? Microsoft is one of the authors of the
    Jacco> DHCP-over-IPsec proposal, but it will probably take a while
    Jacco> (Longhorn?) before it's in Windows.

  I doubt it.

  DHCP-over-IPsec is not in any of the large boxes -- it is nearly
impossible to support it on systems where the IPsec is done on a blade,
and the IKE is on a control processor.

  The issue is that DHCP-over-IPsec creates a zoo of
0.0.0.0/0<->0.0.0.0/0 tunnels, and it is very hard to route the DHCP
packets in/out of this easily, and coordinate the packets with the state
of IKE, etc.

  That's why IKEv2 has a mechanism which keeps all the
control/configuration operations in the IKE channel.

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQMiFLYqHRg3pndX9AQHmYwQAtN5ysOxtVn75hBOE//Kk4lfQ2SPSL6Nl
CDcznVyOnS43431YWhrJxpqJZGTM+Eu/G3xAzcm7K5/eKLykHur6gShlknlSd+Tt
U0d7Xvy94MUvz0a9jBH4EOHUSJ9dWRA3ddYDP+TuHe7vZ2iI8FDSriRsgdxjX/A7
zvXpPJKlVFo=
=ssMH
-----END PGP SIGNATURE-----


More information about the Users mailing list