Subject: Re: DHCP vs. IPsec
To: Charles M. Hannum <firstname.lastname@example.org>
From: Michael Richardson <email@example.com>
Date: 09/17/2003 17:39:06
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Charles" == Charles M Hannum <firstname.lastname@example.org> writes:
Charles> So, I use IPsec over my wireless network. I also use DHCP.
Excellent. Have you seen www.wavesec.org?
Charles> I observed that renewals were not working right from my laptop
Charles> -- the
Charles> server did not seem to see the DHCP REQUESTs, nor did it send any
Charles> replies. Eventually the renewal timed out and it did a new DHCP
Charles> DISCOVER sequence and managed to get a new lease, so the network
Charles> appeared to function normally.
Yes, that is correct.
The DHCP client sends the rewewal using a plain UDP packet, it gets
encrypted with IPsec, and the server actually will receive it.
The DHCP server answers the request in the IPsec, but the client is
listening only on the wire. It discards packets on port 67. The result is
that it thinks the renewal didn't happen.
The problem is that getting two answers would be bad. I think that we
should be able to cope with that and enable reading on the UDP socket.
Charles> An iBook running OSX experienced more chaotic behavior, eventually
Charles> self-configuring a bogus IP address and not working at all.
Yes, that's Rendezvous "working" for you.
Charles> Yes, it is possible to tweak the IPsec configuration so that the
Charles> outbound packets are not encrypted in this case. However, that's
Charles> irritating, and it does not fix the problem that the path isn't
Charles> symmetric. Furthermore, OSX does not encrypt outgoing DHCP
This was the only solution that we came up with for wavesec.
Same thing under Linux, btw.
Charles> So, I've made the following change to my tree to prevent IPsec
Charles> encapsulation of DHCP packets. With this change, renewals work
Charles> correctly from a NetBSD laptop -- and I believe will work
Charles> from OSX, but I won't be able to test that for a few days.
Nice changes. Alas, they don't solve the whole problem.
A renewal through IPsec should be equally valid.
Send it to ISC anyway.
] Out and about in Ottawa. hmmm... beer. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] email@example.com http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat
-----END PGP SIGNATURE-----