ebersman> That may be the consensus at the IETF but it's not even close ebersman> the consensus with ISPs, nor large enterprise. That seems to ebersman> cover most of the eyeball/consumer... DHCP is still how much ebersman> of the world gets connected and that hasn't changed in decades.
pusateri> You're misquoting me and arguing against a point I didn't pusateri> make. There was no one saying we don't need DHCP. There was a pusateri> general agreement that DHCP should not be extended. pusateri> The DHC working group never completed the work for DHCP pusateri> authentication. It's not trustworthy enough in its current pusateri> form to add more things to it. And I'd argue that this is also an IETF opinion, not the majority of the internet. There's a reason it's still the most widespread configuration management for devices. "Not trustworthy enough to extend" is a fine academic opinion but doesn't hold water in the marketplace. DHCP is no worse currently than TOFU. We trust that the OFFER packet will be from the DHCP server we're supposed to use. Trust On First Use. Not great but it works more than not. At least that's the argument I kept hearing for TOFU. We actually have operational experience of decades for DHCP and this isn't a wide spread enough problem to kill any innovation forever because it's not perfect. If we want the world to use what the IETF develops, we have to be able to balance theoretical risk vs sane and widespread deployment. If not, someone will just wind up shoving this into yet another DHCP vendor option and every vendor will be different. That will be even less secure. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
