host
Click on the red underlined text to get to the source
...
In many remote access scenarios, a mechanism for making the remote
host appear to be present on the local corporate network is quite
useful. This may be accomplished by assigning the host ...
... remote
host appear to be present on the local corporate network is quite
useful. This may be accomplished by assigning the host a "virtual"
address from the corporate network ...
... address to the corporate security
gateway. In IPv4, Dynamic Host Configuration Protocol (DHCP) [3]
...
... DHCP) [3]
provides for such remote host configuration. This document explores
the requirements for host configuration ...
... remote host configuration. This document explores
the requirements for host configuration in IPsec tunnel mode, and
describes how DHCPv4 ...
... A DHCP server or "server" is an Internet host that returns
configuration parameters to DHCP clients ...
... As described in [21], the configuration requirements of a host with
an IPsec tunnel mode interface ...
... configuration parameters appropriate to the class
of host. In addition to meeting the basic requirements [21], the
...
... the DHCPDISCOVER. This makes it possible for the security
gateway to ensure that the remote host receives an IP address
assignment from the appropriate address ...
... Among many applications enabled by IPsec, a useful application is to
connect a remote host to a corporate intranet via a security gateway,
...
... using IPsec tunnel mode. This host is then configured in such a
manner so as to provide it with a virtual presence on the internal
network ...
... network. This is accomplished in the following manner:
A remote host on the Internet will connect to the security gateway
...
... and then establish an IPsec tunnel to it. The remote host then
interacts via the IPsec tunnel ...
... tunnel with a DHCPv4 server which provides
the remote host with an address from the corporate network address
space ...
... address from the corporate network address
space. The remote host subsequently uses this as the source address
for all interactions with corporate resources. Note that this
...
... implies that the corporate security gateway continues to recognize
the host's original, routable IP address as the tunnel endpoint. The
...
... tunnel endpoint. The
virtual identity assumed by the remote host when using the assigned
address appears to the corporate network ...
... IP address.
All the traffic between the remote host and the intranet will be
carried over the IPsec ...
... +------------------+ |
| externally | +--------+ | !~~~~~~~~~~!
|+-------+ visible | | | | ! rmt host !
||virtual| host | |security ...
... |+-------+ visible | | | | ! rmt host !
||virtual| host | |security| |---! virtual !
|| host ...
... host | |security| |---! virtual !
|| host | |--------|gateway/| | ! presence !
|| |<================>| DHCP ...
... traffic inside
This scenario assumes that the remote host already has Internet
connectivity and the host ...
... remote host already has Internet
connectivity and the host Internet interface is appropriately
...
... Internet interface is appropriately
configured. The mechanisms for configuration of the remote host's
address for the Internet ...
... addressing. The mechanisms for auto-configuration of the
intranet are also standardized. It is also assumed that the remote
host has knowledge of the location of the security gateway. This can
be accomplished via DNS ...
... records.
A typical configuration of the remote host in this application would
use two addresses: 1) an interface ...
... interface of the IPsec tunnel mode
host is accomplished in the following steps:
a. The remote host ...
... host is accomplished in the following steps:
a. The remote host establishes an IKE security association with the
security gateway ...
...
c. DHCP messages are sent back and forth between the remote host and
the DHCPv4 server. The traffic ...
... the DHCPv4 server. The traffic is protected between the remote
host and the security gateway using the DHCP SA ...
... SA established in
step b. After the DHCP conversation completes, the remote host's
intranet interface ...
... configuration parameters.
d. The remote host MAY request deletion of the DHCP SA since future
...
... IPsec tunnel.
Alternatively, the remote host and the security gateway MAY
continue to use the same SA ...
... e. If a new IPsec tunnel is required, the remote host establishes a
tunnel mode SA to the security gateway ...
... quick mode ID.
At the end of the last step, the remote host is ready to communicate
with the intranet using an IPsec ...
... IP traffic
(including future DHCPv4 messages) between the remote host and the
intranet are now tunneled over this IPsec tunnel mode ...
... SAs are based on the
unique requirements of the remote host and the security gateway, they
are not described in this document. The mechanisms described here
...
... Client hardware address. Should be unique.
sname 64 Optional server host name, null terminated string.
file 128 Boot file name, null terminated string; "generic"
name or null in DHCPDISCOVER ...
... If the above prescription is followed, then the chaddr will always be
unique on the virtual subnet provided that the remote host only
brings up a single tunnel to the security gateway ...
... interface is available and a unique Internet address is
assigned to the remote host, the chaddr will also be globally unique.
Where a private IP address [22 ...
... interface,
it will not be globally unique. However, in this case packets will
not be routed back and forth between the remote host and the security
gateway unless the external network and corporate network ...
... addressing plan. In this case the private IP address
assigned to the remote host will be unique on the virtual subnet.
...
... DHCP SA SHOULD be on the order of minutes since it
will only be temporary. The remote host SHOULD use an IDci payload
of 0.0.0.0/UDP ...
... destination, the IPsec implementations
on both the remote host and the security gateway must be capable of
handling this.
...
... route
the corresponding DHCPOFFER message(s) back to the remote host on the
correct IPsec tunnel ...
... DHCPNAK messages.
It SHOULD be possible to configure the remote host to forward all
Internet-bound traffic ...
... overhead
to round-trips between the remote host and the Internet, it provides
some added security ...
... security gateway may now filter traffic as it would if the remote
host were physically located on the corporate network.
...
...
Several mechanisms can be used to enable remote hosts to be assigned
different configurations. For example, clients may use the User
...
... DHCPv4 server may also take a number of other variables into account,
including the htype/chaddr; the host name option; the client-
identifier ...
... allocation of special address ranges for remote hosts; assignment of
static routes to clients [20 ...
... security
considerations, these mechanisms, while useful, do not enhance
security since they can be evaded by a remote host choosing its own
IP address.
...
... This protocol is secured using IPsec, and as a result the DHCP
packets flowing between the remote host and the security gateway are
authenticated ...
... authenticated DHCP cannot be used as an access control
mechanism. This is because a remote host can always set its own IP
address and thus evade any security measures based on DHCP
authentication ...
... Droms, R., "Dynamic Host Configuration Protocol", RFC 2131draft, March 1997. ...
... Lemon, T., Cheshire, S. and B. Volz, "The Classless Static Route Option for Dynamic Host Configuration Protocol (DHCP)", RFC 3442prop, December 2002. ...
... Address pool management
IKECFG does not provide a mechanism for the remote host to
indicate a preference for a particular address pool. This
...