Re: [dhcwg] status of draft-ietf-dhc-agent-subnet-selection

Ralph Droms <> Wed, 09 October 2002 19:00 UTC

Received: from ( [] (may be forged)) by (8.9.1a/8.9.1a) with ESMTP id PAA00172 for <>; Wed, 9 Oct 2002 15:00:42 -0400 (EDT)
Received: (from mailnull@localhost) by (8.11.6/8.11.6) id g99J2NM10357 for; Wed, 9 Oct 2002 15:02:23 -0400
Received: from ( []) by (8.11.6/8.11.6) with ESMTP id g99J2Mv10354 for <>; Wed, 9 Oct 2002 15:02:22 -0400
Received: from ( []) by (8.9.1a/8.9.1a) with ESMTP id PAA00153 for <>; Wed, 9 Oct 2002 15:00:11 -0400 (EDT)
Received: from (localhost.localdomain []) by (8.11.6/8.11.6) with ESMTP id g99J09v10213; Wed, 9 Oct 2002 15:00:09 -0400
Received: from ( []) by (8.11.6/8.11.6) with ESMTP id g99IxDv10139 for <>; Wed, 9 Oct 2002 14:59:13 -0400
Received: from ( []) by (8.9.1a/8.9.1a) with ESMTP id OAA00021 for <>; Wed, 9 Oct 2002 14:57:01 -0400 (EDT)
Received: from ( []) by (8.8.5-Cisco.1/8.6.5) with ESMTP id OAA25568; Wed, 9 Oct 2002 14:59:02 -0400 (EDT)
Message-Id: <>
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Wed, 09 Oct 2002 14:58:58 -0400
To: Thomas Narten <>
From: Ralph Droms <>
Subject: Re: [dhcwg] status of draft-ietf-dhc-agent-subnet-selection
Cc: Ted Lemon <>, "Bernie Volz (EUD)" <>, Kim Kinnear <>,
In-Reply-To: <>
References: <Message from Ralph Droms <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <>, <>
List-Id: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

The message from the relay agent to the server uses the relay agent's 
address as the source address.  The relay agent modifies and sends the DHCP 
message as the payload in a UDP message that appears to originate from the 
relay agent.  Section 4 of RFC1542 gives more details.  The difference 
between DHCPv4 and DHCPv6 is in the way in which the client message is 
processed by the relay agent (in DHCPv6, the message is encapsulated in a 
new message generated by the relay agent).

Yes, IPsec cannot be used from the client to the server.  The proposal for 
the use of IPsec under consideration here is to protect the message as it 
travels between the relay agent and the server.  The primary purpose is to 
protect any relay agent options, addressing an issue raised by the original 
relay option spec (RFC3046), which assumes no security is needed between 
the relay agent and the server.

- Ralph

At 02:35 PM 10/9/2002 -0400, Thomas Narten wrote:
> > If I squint my eyes and stand back far enough, I don't see that the DHCPv4
> > case is different.
>Conceptually similar, details are different.
> > While the relay agent is relaying a message on behalf
> > of the client, it really is relaying that message in an independent UDP
> > message, in which the source address belongs to the relay agent.
>Isn't the source address of the packet that of the client (and not the
>relay agent)? This makes a huge differences with regards to IPsec.
>Even worse, the client has no IP address yet, so the relayed packet
>has no source address...
>This can't be made to work trivially with stock IPsec. You'd need
>extensions I'd suspect, defeating much of the purpose of trying to use
>Note that the above also factored into why DHC needed something
>specific to DHC rather than trying to somehow use IPsec.

dhcwg mailing list