remote host
Click on the red underlined text to get to the source
...
In many remote access scenarios, a mechanism for making the remote
host appear to be present on the local corporate network is quite
useful. This may be accomplished by assigning the host ...
... DHCP) [3]
provides for such remote host configuration. This document explores
the requirements for host configuration ...
... the DHCPDISCOVER. This makes it possible for the security
gateway to ensure that the remote host receives an IP address
assignment from the appropriate address ...
... Among many applications enabled by IPsec, a useful application is to
connect a remote host to a corporate intranet via a security gateway,
...
... network. This is accomplished in the following manner:
A remote host on the Internet will connect to the security gateway
...
... and then establish an IPsec tunnel to it. The remote host then
interacts via the IPsec tunnel ...
... tunnel with a DHCPv4 server which provides
the remote host with an address from the corporate network address
space ...
... address from the corporate network address
space. The remote host subsequently uses this as the source address
for all interactions with corporate resources. Note that this
...
... tunnel endpoint. The
virtual identity assumed by the remote host when using the assigned
address appears to the corporate network ...
... IP address.
All the traffic between the remote host and the intranet will be
carried over the IPsec ...
... traffic inside
This scenario assumes that the remote host already has Internet
connectivity and the host ...
... Internet interface is appropriately
configured. The mechanisms for configuration of the remote host's
address for the Internet ...
... addressing. The mechanisms for auto-configuration of the
intranet are also standardized. It is also assumed that the remote
host has knowledge of the location of the security gateway. This can
be accomplished via DNS ...
... records.
A typical configuration of the remote host in this application would
use two addresses: 1) an interface ...
... host is accomplished in the following steps:
a. The remote host establishes an IKE security association with the
security gateway ...
...
c. DHCP messages are sent back and forth between the remote host and
the DHCPv4 server. The traffic ...
... the DHCPv4 server. The traffic is protected between the remote
host and the security gateway using the DHCP SA ...
... SA established in
step b. After the DHCP conversation completes, the remote host's
intranet interface ...
... configuration parameters.
d. The remote host MAY request deletion of the DHCP SA since future
...
... IPsec tunnel.
Alternatively, the remote host and the security gateway MAY
continue to use the same SA ...
... e. If a new IPsec tunnel is required, the remote host establishes a
tunnel mode SA to the security gateway ...
... quick mode ID.
At the end of the last step, the remote host is ready to communicate
with the intranet using an IPsec ...
... IP traffic
(including future DHCPv4 messages) between the remote host and the
intranet are now tunneled over this IPsec tunnel mode ...
... SAs are based on the
unique requirements of the remote host and the security gateway, they
are not described in this document. The mechanisms described here
...
... If the above prescription is followed, then the chaddr will always be
unique on the virtual subnet provided that the remote host only
brings up a single tunnel to the security gateway ...
... interface is available and a unique Internet address is
assigned to the remote host, the chaddr will also be globally unique.
Where a private IP address [22 ...
... interface,
it will not be globally unique. However, in this case packets will
not be routed back and forth between the remote host and the security
gateway unless the external network and corporate network ...
... addressing plan. In this case the private IP address
assigned to the remote host will be unique on the virtual subnet.
...
... DHCP SA SHOULD be on the order of minutes since it
will only be temporary. The remote host SHOULD use an IDci payload
of 0.0.0.0/UDP ...
... destination, the IPsec implementations
on both the remote host and the security gateway must be capable of
handling this.
...
... route
the corresponding DHCPOFFER message(s) back to the remote host on the
correct IPsec tunnel ...
... DHCPNAK messages.
It SHOULD be possible to configure the remote host to forward all
Internet-bound traffic ...
... overhead
to round-trips between the remote host and the Internet, it provides
some added security ...
... security gateway may now filter traffic as it would if the remote
host were physically located on the corporate network.
...
... security
considerations, these mechanisms, while useful, do not enhance
security since they can be evaded by a remote host choosing its own
IP address.
...
... This protocol is secured using IPsec, and as a result the DHCP
packets flowing between the remote host and the security gateway are
authenticated ...
... authenticated DHCP cannot be used as an access control
mechanism. This is because a remote host can always set its own IP
address and thus evade any security measures based on DHCP
authentication ...
... Address pool management
IKECFG does not provide a mechanism for the remote host to
indicate a preference for a particular address pool. This
...