RE: IPSEC: IKE preshared keys, ID payload, and DHCP

[Black_David@emc.com]

> Digging this out from a ways back ...
> If only the required IKE mode of preshared keys is supported 
> and ID payloads must contain a single IP address 
> (ips-security-06, last paragraph, page 12), how are 
> DHCP-enabled ports handled? When setting up the preshared 
> key, an administrator needs to know the IP address since this 
> is what the ID payload will identify (and what is used to 
> select the preshared key).  But can't the IP address change 
> for a DHCP-enabled port on a power cycle, or lease 
> expiration, etc.? Is there an assumption that only ports with 
> static IP addresses are being used?

Yes and No in that order.  Sharing the preshared key among the
set of DHCP-enabled ports is a solution that's often found in
practice.  Some of the aspects of dealing with DHCP are still
open issues (e.g., I think another look/check is needed at the
current restriction on ID payload usage)- with luck there'll
be more on the mailing list in the near future.

> In a related vein, will the IPSec DOI definition be updated 
> to include iSCSI names for ID payload types? I think this 
> would remove the problem with DHCP (at least for IKE Aggressive Mode).

There are no plans to update the DOI - I would expect strong
resistance from the ipsec WG (with good reason) to every protocol
that uses IPsec adding its preferred naming types/formats to IPsec.

Thanks,
--David
---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
black_david@emc.com         Cell: +1 (978) 394-7754
---------------------------------------------------