[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: IPSEC: IKE preshared keys, ID payload, and DHCP

    > Digging this out from a ways back ...
    > If only the required IKE mode of preshared keys is supported 
    > and ID payloads must contain a single IP address 
    > (ips-security-06, last paragraph, page 12), how are 
    > DHCP-enabled ports handled? When setting up the preshared 
    > key, an administrator needs to know the IP address since this 
    > is what the ID payload will identify (and what is used to 
    > select the preshared key).  But can't the IP address change 
    > for a DHCP-enabled port on a power cycle, or lease 
    > expiration, etc.? Is there an assumption that only ports with 
    > static IP addresses are being used?
    Yes and No in that order.  Sharing the preshared key among the
    set of DHCP-enabled ports is a solution that's often found in
    practice.  Some of the aspects of dealing with DHCP are still
    open issues (e.g., I think another look/check is needed at the
    current restriction on ID payload usage)- with luck there'll
    be more on the mailing list in the near future.
    > In a related vein, will the IPSec DOI definition be updated 
    > to include iSCSI names for ID payload types? I think this 
    > would remove the problem with DHCP (at least for IKE Aggressive Mode).
    There are no plans to update the DOI - I would expect strong
    resistance from the ipsec WG (with good reason) to every protocol
    that uses IPsec adding its preferred naming types/formats to IPsec.
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500         Cell: +1 (978) 394-7754


Last updated: Wed Jan 02 13:17:46 2002
8247 messages in chronological order