address
Click on the red underlined text to get to the source
... useful. This may be accomplished by assigning the host a "virtual"
address from the corporate network, and then tunneling traffic ...
... IPsec from the host's ISP-assigned address to the corporate security
gateway. In IPv4, Dynamic Host Configuration Protocol ...
... an IPsec tunnel mode interface include the need to obtain an IPv4
address and other configuration parameters appropriate to the class
...
... following additional capabilities may be desirable:
a. integration with existing IPv4 address management facilities
b. support for address ...
... IPv4 address management facilities
b. support for address pool management
c. reconfiguration when required
...
... management integration
Since DHCPv4 is widely deployed for address management today,
reuse of DHCPv4 ...
... compatibility and integration with existing addressing
implementations and IPv4 address management software.
...
... 18], DHCPv4 implementations support
conditional behavior so that the address and configuration
parameters assigned can be dependent on parameters included in
the DHCPDISCOVER ...
... DHCPDISCOVER. This makes it possible for the security
gateway to ensure that the remote host receives an IP address
assignment from the appropriate address pool, such as via the
...
... remote host receives an IP address
assignment from the appropriate address pool, such as via the
User Class option, described in [16 ...
... DHCPv4 server which provides
the remote host with an address from the corporate network address
space. The remote host ...
... remote host with an address from the corporate network address
space. The remote host subsequently uses this as the source address
...
... network address
space. The remote host subsequently uses this as the source address
for all interactions with corporate resources. Note that this
implies that the corporate security gateway ...
... security gateway continues to recognize
the host's original, routable IP address as the tunnel endpoint. The
virtual identity ...
... identity assumed by the remote host when using the assigned
address appears to the corporate network as though it were situated
behind a security gateway ...
... network as though it were situated
behind a security gateway bearing the original routable IP address.
All the traffic between the remote host ...
... configured. The mechanisms for configuration of the remote host's
address for the Internet interface are well defined; i.e., PPP ...
... A typical configuration of the remote host in this application would
use two addresses: 1) an interface to connect to the Internet
...
... security gateway in a quick mode exchange.
In this case, the new address assigned via DHCPv4 SHOULD be used
in the quick mode ...
... message type.
1 = BOOTREQUEST, 2 = BOOTREPLY
htype 1 Hardware address type. Set to value 31.
signifying an IPsec tunnel mode virtual interface ...
... IPsec tunnel mode virtual interface.
hlen 1 Hardware address length
hops 1 Client sets to zero, optionally used by relay agents ...
... client, seconds elapsed since client
began address acquisition or renewal process.
flags 2 Flags. Broadcast bit ...
... set to zero.
ciaddr 4 Client IP address; only filled in if client is in
BOUND, RENEW or REBINDING state ...
... state.
yiaddr 4 'your' (client) IP address.
siaddr 4 IP address of next server to use in bootstrap ...
... client) IP address.
siaddr 4 IP address of next server to use in bootstrap;
returned in DHCPOFFER ...
... relay agent.
chaddr 16 Client hardware address. Should be unique.
sname 64 Optional server host name, null terminated string.
...
... persistent between reboots so that the DHCP server will be able to
re-assign the same address if desired.
The hlen and chaddr fields SHOULD be determined as follows:
...
... LAN interface, the chaddr field SHOULD be
determined by concatenating x'4000', the IPv4 address of the
interface supplying network ...
... network connectivity, and an additional octet.
The x'4000' value indicates a locally administered unicast MAC
address, thus guaranteeing that the constructed chaddr value will
not conflict with a globally assigned value.
...
... interface number)
SHOULD be persistent between reboots, so that the chaddr value
will be persistent across reboots if the assigned IPv4 address
remains consistent.
...
... non-LAN interface is available and a unique Internet address is
assigned to the remote host, the chaddr will also be globally unique.
...
... assigned to the remote host, the chaddr will also be globally unique.
Where a private IP address [22] is assigned to a non-LAN interface ...
... network have a
consistent addressing plan. In this case the private IP address
assigned to the remote host will be unique on the virtual subnet ...
... LAN interface is
used, it may not be persistent across reboots if the assigned IP
address changes.
b. The machine FQDN ...
... quick mode exchange. The security
gateway will use an IDcr payload of its own Internet address/UDP/port
...
... security gateway, which
will act as a DHCPv4 relay, inserting its address in the "giaddr"
field. In this case, the security gateway relays packets between the
...
... client and the DHCPv4 server, but does not request or renew addresses
on the client's behalf. While acting as a DHCP ...
... tunnel, then this can be accomplished by inserting the appropriate
interface address in the giaddr field. Alternatively, the security
gateway can utilize the DHCP Relay Agent Information Option [17 ...
... ranges subsequently used to determine quality of service;
allocation of special address ranges for remote hosts; assignment of
...
... DHCP cannot be used as an access control
mechanism. This is because a remote host can always set its own IP
address and thus evade any security measures based on DHCP
authentication.
...
... DHCP
authentication.
As a result, the assigned address MUST NOT be depended upon for
security. Instead, the security gateway ...
... client identifier option or
client MAC address. These issues can be partially addressed through
use of the DHCP Relay Information Option [17 ...
... copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
...
... PPP Internet Protocol Control Protocol Extensions for Name Server Addresses", RFC 1877, December 1995. ...
... Rekhter, Y., Moskowitz, B., Karrenberg, D., G. de Groot, and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, February 1996. ...
... Basic configuration
While ISAKMP CFG can provide for IP address assignment as well
as configuration of a few additional parameters such as the DNS
server and WINS server addresses ...
... IP address assignment as well
as configuration of a few additional parameters such as the DNS
server and WINS server addresses, the rich configuration
facilities of DHCPv4 are not supported. Past experience with
...
... 3] will be required.
Address management integration
Since IKECFG is not integrated with existing IP address ...
... Address management integration
Since IKECFG is not integrated with existing IP address
management facilities, it is difficult to integrate it with
...
... IKECFG does not provide a mechanism for the remote host to
indicate a preference for a particular address pool. This
makes it difficult to support address pool management ...
... indicate a preference for a particular address pool. This
makes it difficult to support address pool management.
...
... Fail-over support
Since IKECFG creates a separate pool of address state, it
complicates the provisioning of network ...
... PPP IPCP demonstrates, once it is decided
to provide non-integrated address management and configuration
facilities within IKE ...
... facilities within IKE, it will be difficult to limit the
duplication of effort to address assignment. Instead, it will
be tempting to also duplicate the configuration, authentication
...
... As a result, security gateways implementing IKECFG typically request
allocation of an IP address on their own behalf, and then assign this
to the client via IKECFG. Since IKECFG does not support the concept
...
... to the client via IKECFG. Since IKECFG does not support the concept
of an address lease, the security gateway will need to do the renewal
itself. This complicates the renewal process.
...
... state, the
security gateway may put its own address in the giaddr field when in
REBINDING state, thereby ensuring that it can receive the renewal
...
... Authors' Addresses ...