DHCP Configuration of IPSEC Tunnel Mode - PowerPoint

Report as inappropriate Your report has been received
Shared by: wxr16887
Tags
ipsec tunnel, tunnel mode, ip address, dhcp server, security gateway, ipsec vpn, remote access, ipsec client, dhcp configuration, lan interface, windows 2000, ipsec encryption, dynamic host configuration protocol, how to, dhcp relay
Stats
views:: 3
posted:: 9/8/2010
language:: English
pages:: 9
Public Domain
Document Sample
							DHCP Configuration of IPSEC
      Tunnel Mode
      Draft-ipsec-dhcp-05.txt
         Bernard Aboba
             Microsoft
                 Outline
•   Configuration Requirements
•   Security Requirements
•   DHCP usage
•   Address pool selection
•   Walkthrough
•   Summary
   Configuration Requirements
• To obtain an IP address and other configuration
  parameters appropriate to the class of host
• To reconfigure when required
• To support failover
   – Want to be able to maintain address/configuration state
     between VPN server failures
• To integrate with existing IP address management
  facilities such as DHCP
   – Want single point of address and configuration
     management
        Security Requirements
• To support address pool management
   – Examples
      • Extranet where vendors, contractors, employees have different
        access levels, allocated out of different address pools
      • Intranet where sales, marketing, engineering have different
        quality of service levels, allocated out of different pools
• To authenticate where required
   – Since DHCP server typically not co-located with VPN
     server, can’t assume access to IKE credentials
   – DHCP authentication required to prove claim of
     identity in the client-identifier-option
             DHCP Packet Body
• Hardware address length (hlen), hardware type
  (htype), client hardware address (chaddr)
   – Should be unique to the segment client is connecting to
   – Hardware identifier tells VPN server/DHCP relay
     which VPN interface to forward DHCP messages to
      • Client-identifier-option isn’t returned by DHCP server
   – LAN: Use interface hardware address
   – Dialup: Use outer IP address + 2 random octets
      • Not consistent between reboots
• Should a different htype be used for VPN?
   – Would make it easier for DHCP server to distinguish
     VPN clients
                  DHCP Options
• Client-identifier-option
   – Must be unique to client
   – Consistency between reboots needed
   – Can use Htype/Chaddr combination as suggested in
     RFC 2132
      • In dialup case, not consistent between reboots
          – Makes it difficult to support user or machine specific policies
   – Can use FQDN or NAI
      • Consistent between reboots
      • Makes it easier to administer DHCP authentication
• Classless static route option
   – Draft-ietf-dhc-csr-00.txt
   – Replacement for RFC 2132 static route option
           Address Pool Selection
• Support for existing methods for address pool selection
   –   Client hardware address
   –   Client-identifier option
   –   Vendor-class-identifier option
   –   Vendor-specific information option
   –   Relay agent option
   –   User class option
   –   Host name option
   –   Authentication option
• Can leverage conditional behavior of popular DHCP
  servers
• DHCP (even with authentication) is not an Access Control
  mechanism
   – Shouldn’t use address assignment as a way of restricting access;
     client can just choose its own IP address and get around the
     restrictions
                       Walkthrough
• The remote host establishes an IKE MM or AM security association
  with the VPN server.
• The remote host establishes a DHCP tunnel mode QM SA with the
  VPN server.
    – Filters
        • From client to server: Any to Any, destination: UDP port 67
        • From server to client: Any to Any, destination: UDP port 68
• DHCP messages are exchanged between the remote host and the
  DHCP server, using the VPN server as a DHCP relay, configuring the
  intranet interface of the remote host.
    – Security gateway needs to snoop the DHCPACK to learn the IP address
      assigned to the VPN interfaces
• The remote host MAY request deletion of the DHCP SA or the remote
  host and VPN server MAY continue to use the same SA for all
  subsequent traffic by adding temporary SPD selectors as with name ID
  types.
• The remote host establishes a tunnel mode SA to the VPN server in a
  quick mode exchange.
    IPSEC Remote Access Protocol Comparison
                        L2TP           IPSEC
                                       Tunnel
                                       Mode

Authenticated Tunnels   IPSEC          IPSEC
Authenticated Calls     Yes            Yes
Integrity Protection    IPSEC          IPSEC
Keepalive               LCP, L2TP      IKE
NAT friendliness        No             Yes (w/QM restrictions)
Address Allocation      IPCP           DHCP
Configuration           DHCPINFORM     DHCP
Multiprotocol           Yes            No
Encryption              IPSEC          IPSEC
Compression             PPP or IPPCP   IPPCP
Routing protocols       Yes            Yes, if treated as interface
Related docs