IPsec
Click on the red underlined text to get to the source
... the requirements for host configuration in IPsec tunnel mode, and
describes how DHCPv4 may be leveraged for configuration.
...
... IPsec tunnel mode configuration requirements ...
... requirements of a host with
an IPsec tunnel mode interface include the need to obtain an IPv4
address and other configuration parameters ...
...
Leveraging DHCP for configuration of IPsec tunnel mode meets the
basic requirements described in [21 ...
... IPv4, leveraging DHCPv4 [3] for the configuration of IPsec
tunnel mode satisfies the basic requirements described in [21].
...
... authentication [5] is required, this can be
supported on an IPsec tunnel mode interface as it would be on
any other interface ...
... requirements, nor does it provide the additional capabilities. As a
result, DHCPv4 is the superior alternative for IPsec tunnel mode
configuration.
...
... network layer between communicating peers.
Among many applications enabled by IPsec, a useful application is to
connect a remote host to a corporate intranet ...
... corporate intranet via a security gateway,
using IPsec tunnel mode. This host is then configured in such a
...
... Internet will connect to the security gateway
and then establish an IPsec tunnel to it. The remote host then
...
... tunnel to it. The remote host then
interacts via the IPsec tunnel with a DHCPv4 server which provides
...
... remote host and the intranet will be
carried over the IPsec tunnel via the security gateway as shown
...
... interfaces are used in the outer and inner headers of the
IPsec tunnel mode packet, respectively.
...
... The configuration of the intranet interface of the IPsec tunnel mode
host is accomplished in the following steps:
...
... remote host establishes a DHCP SA with the IPsec tunnel mode
server in a quick mode exchange. The DHCP ...
... quick mode exchange. The DHCP SA is an IPsec tunnel
mode SA established to protect initial DHCPv4 traffic ...
... SA since future
DHCP messages will be carried over a new IPsec tunnel.
Alternatively, the remote host ...
... remote host is ready to communicate
with the intranet using an IPsec tunnel. All the IP traffic
...
... htype 1 Hardware address type. Set to value 31.
signifying an IPsec tunnel mode virtual interface.
hlen 1 Hardware address ...
... DHCP message
The htype value is set to the value 31, signifying a virtual IPsec
tunnel mode interface, in order to enable the DHCP server to
...
... broadcast address destination, the IPsec implementations
on both the remote host and the security gateway ...
... DHCPOFFER message(s) back to the remote host on the
correct IPsec tunnel, without having to keep state gleaned from the
...
... If the security gateway maintains a separate subnet for each IPsec
tunnel, then this can be accomplished by inserting the appropriate
...
... the security gateway (acting as a DHCP Relay) using the IPsec tunnel
mode SA, including DHCPOFFER, DHCPACK ...
...
This protocol is secured using IPsec, and as a result the DHCP
packets flowing between the remote host and the security gateway ...
...
This document requires that an htype value be allocated for use with
IPsec tunnel mode, as described in section 4.1. Note that DHCP
relies on the arp-parameters registry ...
... an assignment in the arp-parameters registry is required, even though
IPsec-DHCP will never use that parameter for ARP purposes, since
...
... Kelly, S. and S. Ramamoorthi, "Requirements for IPsec Remote Access Scenarios", RFC 3457, January 2003. ...
... Authentication
While IKECFG can support mutual authentication of the IPsec
tunnel endpoints, it is difficult to integrate IKECFG with
...