DHCPv4
Click on the red underlined text to get to the source
... host configuration in IPsec tunnel mode, and
describes how DHCPv4 may be leveraged for configuration.
...
... Basic configuration
In IPv4, leveraging DHCPv4 [3] for the configuration of IPsec
tunnel mode satisfies the basic requirements ...
... configuration parameters described in [21]
are a subset of those already supported in DHCPv4 options [4],
no new DHCPv4 ...
... Address management integration
Since DHCPv4 is widely deployed for address management today,
...
... management
As described in [18], DHCPv4 implementations support
conditional behavior so that the address and configuration
parameters ...
... Security and simplicity
Leveraging DHCPv4 also makes it easier to maintain security in
the IKE implementation ...
... requirements, nor does it provide the additional capabilities. As a
result, DHCPv4 is the superior alternative for IPsec tunnel mode
configuration.
...
... interacts via the IPsec tunnel with a DHCPv4 server which provides
the remote host with an address ...
... |+-------+ |--------| Relay | |
+------------------+ ^ +--------+ | +--------+
| |---| DHCPv4 |
IPsec tunnel ...
... IP
control protocol (IPCP), described in [10], DHCPv4, described in [3],
and static addressing ...
... SA is an IPsec tunnel
mode SA established to protect initial DHCPv4 traffic between the
security gateway ...
... DHCP messages are sent back and forth between the remote host and
the DHCPv4 server. The traffic is protected between the remote
host and the security gateway ...
... quick mode exchange.
In this case, the new address assigned via DHCPv4 SHOULD be used
in the quick mode ID.
...
... tunnel. All the IP traffic
(including future DHCPv4 messages) between the remote host and the
intranet ...
... The client MUST use the same chaddr field in all subsequent messages
within the same DHCPv4 exchange. In addition, the chaddr SHOULD be
persistent between reboots so that the DHCP server ...
... DHCPREQUEST rather
than a DHCPDISCOVER message. The initial DHCPv4 message
(DHCPDISCOVER or DHCPREQUEST ...
...
While other configurations are possible, typically the DHCPv4 server
will not reside on the same machine as the security gateway, which
...
... will not reside on the same machine as the security gateway, which
will act as a DHCPv4 relay, inserting its address in the "giaddr"
field. In this case, the security gateway ...
... security gateway relays packets between the
client and the DHCPv4 server, but does not request or renew addresses
on the client ...
... VPN SA. Similarly, all DHCP
messages subsequently sent by the DHCPv4 server will be forwarded by
the security gateway (acting as a DHCP ...
... 16] to request various configuration profiles. The
DHCPv4 server may also take a number of other variables into account,
including the htype/chaddr; the host name option; the client ...
... requirements described in [21], nor do they provide
the additional capabilities of DHCPv4.
Basic configuration ...
... DNS
server and WINS server addresses, the rich configuration
facilities of DHCPv4 are not supported. Past experience with
similar configuration mechanisms within PPP IPCP ...
... taught us that it is not viable merely to support minimal
configuration. Eventually, either much of the functionality
embodied in the DHCPv4 options [4] is duplicated or support for
DHCPINFORM ...
... authentication
and fail-over facilities of DHCPv4. This duplication will
greatly increase the scope of work, eventually compromising the
security ...
... tunnel endpoints, it is difficult to integrate IKECFG with
DHCPv4 authentication [5]. This is because the security
gateway ...