Re: [dhcwg] DHCP hackathon in Prague: SeDHCPv6

Francis Dupont <> Wed, 07 June 2017 19:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 73D5A12EBF9 for <>; Wed, 7 Jun 2017 12:43:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0-DzxVGypBZJ for <>; Wed, 7 Jun 2017 12:43:58 -0700 (PDT)
Received: from ( [IPv6:2001:41d0:1:6d55:211:5bff:fe98:d51e]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D2FE4129B40 for <>; Wed, 7 Jun 2017 12:43:57 -0700 (PDT)
Received: from (localhost [IPv6:::1]) by (8.14.7/8.14.7) with ESMTP id v57JT6wQ063392; Wed, 7 Jun 2017 21:29:06 +0200 (CEST) (envelope-from
Message-Id: <>
From: Francis Dupont <>
To: Ted Lemon <>
cc: =?utf-8?B?56We5piO6YGU5ZOJ?= <>, dhcwg <>
In-reply-to: Your message of Wed, 07 Jun 2017 15:06:09 -0400. <>
Date: Wed, 07 Jun 2017 21:29:06 +0200
Archived-At: <>
Subject: Re: [dhcwg] DHCP hackathon in Prague: SeDHCPv6
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 07 Jun 2017 19:43:59 -0000

 In your previous mail you wrote:

>  Bernie addressed the key issue.   I think Bernie's suggestion is fine, but s
>  ounds a lot like DTLS, which begs the question, why not just use DTLS?   And
>   Francis, much as we might wish it otherwise, IPsec isn't actually a practic
>  al option as far as I can tell.  I have no idea how to use it for anything o
>  ther than setting up a VPN on, e.g., Mac OS X.   If you have a resource to p
>  oint to on that, I'd be interested to hear about it.

=> even if IPsec is essentially used for VPN it provides a transport mode
and not only a tunnel mode...
Now the real question is about the fact IPsec is a kernel feature, not
something you add in applications over the transport API provided by
the kernel. The world is divided between people who think it is an
advantage and people who think it is *the* problem.
Obviously I am in the first part, you in the second. Now I did a lot of
kernel programming (including IPsec kernel programming) so I am very
far to be neutral...


PS: macOS has IPsec/IKE support. At the time I worked on IPsec it used
the same code than me, today I don't know.
To configure it:
 - open System Prefences
 - open Network
 - add a new interface (or service)
 - select VPN (there was a way to use transport mode but as far as I
  remember not very direct)
 - select IKEv2 VPN type
 - enter a service name
BTW I am typing this on a macOS MacBook Air...