On Wed, Aug 06, 2008 at 01:30:05PM +1000, Richard Pruss wrote: > Possibly this is the core of the disagreement. I see it as critical to the > secure behaviour of an SP or Enterprise edge that the network > verify/enforce that the client is using the configuration the network gave > it.
I believe that is entirely true, and have been known to practice this in my own networks with a zeal beyond that normally considered practical or reasonable. > I see it as DHCP's role to configure the host and the network at the > boundary between layer 2 and layer 3. DHCP's role is to configure the host, yes, the network, no. Unless the network elements were themselves DHCP clients. The trouble with the relay's role in a DHCP host's exchange is that it is not given a state. This is wonderful, because it makes relays very simple pieces of software, having no state to manage. For folks that are trying, as I said, to make DHCP do what it wasn't designed for, it is an incomplete fit, and problems constantly arise with out-of-order packet delivery, out-of-band packet delivery (where there is a second relay), and inconsistent replies made to clients (of which only one is accepted by the client) which are particularly problematic when more than one server is involved. To name just a few. Given time to sort it out, and neglecting pathological cases, a DHCP server and DHCP client will converge on a single image of the desired configuration. A DHCP relay is left out of this convergence, so you cannot reliably convey configuration. I believe it simply was never a design criteria, and am more or less at peace with that as the ultimate designs of both DHCP protocols help them fit where I believe DHCP belongs. Which doesn't include access control. -- Ash bugud-gul durbatuluk agh burzum-ishi krimpatul. Why settle for the lesser evil? https://secure.isc.org/store/t-shirt/ -- David W. Hankins "If you don't do it right the first time, Software Engineer you'll just have to do it again." Internet Systems Consortium, Inc. -- Jack T. Hankins
pgpT1bqaOxKGK.pgp
Description: PGP signature
_______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
