A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W

security

Click on the red underlined text to get to the source

... host's ISP-assigned address to the corporate security gateway. In IPv4, Dynamic Host Configuration Protocol (DHCP ...

2. IPsec tunnel mode configuration requirements

... d. support for fail-over e. maintaining security and simplicity in the IKE implementation. f. authentication ...

... configuration parameters assigned can be dependent on parameters included in the DHCPDISCOVER. This makes it possible for the security gateway to ensure that the remote host receives an IP address ...

... 12]. Security and simplicity Leveraging DHCPv4 also makes it easier to maintain security ...

... Security and simplicity Leveraging DHCPv4 also makes it easier to maintain security in the IKE implementation since no IKE ...

3. Scenario overview

... connect a remote host to a corporate intranet via a security gateway, using IPsec tunnel mode ...

... A remote host on the Internet will connect to the security gateway and then establish an IPsec tunnel ...

... source address for all interactions with corporate resources. Note that this implies that the corporate security gateway continues to recognize the host's original, routable IP address ...

... address appears to the corporate network as though it were situated behind a security gateway bearing the original routable IP address. All the traffic ...

... carried over the IPsec tunnel via the security gateway as shown below: ...

... host ! ||virtual| host | |security| |---! virtual ! || host | |--------|gateway ...

... intranet are also standardized. It is also assumed that the remote host has knowledge of the location of the security gateway. This can be accomplished via DNS, using either A, KX [23 ...

... a. The remote host establishes an IKE security association with the security gateway in a main mode or aggressive mode exchange. This ...

... remote host establishes an IKE security association with the security gateway in a main mode or aggressive mode exchange. This IKE SA then serves to secure additional quick mode ...

... DHCPv4 traffic between the security gateway and the remote host. The DHCP SA ...

... DHCPv4 server. The traffic is protected between the remote host and the security gateway using the DHCP SA established in ...

... tunnel. Alternatively, the remote host and the security gateway MAY continue to use the same SA for all subsequent traffic ...

... remote host establishes a tunnel mode SA to the security gateway in a quick mode exchange. In this case, the new address ...

... SA. Since the security parameters used for different SAs are based on the unique requirements ...

... unique requirements of the remote host and the security gateway, they are not described in this document. The mechanisms described here work best when the VPN ...

4. Detailed description

... DHCPOFFER, DHCPACK by server. giaddr 4 Security gateway interface IPv4 address, used in ...

... remote host only brings up a single tunnel to the security gateway. Where a LAN interface ...

... it will not be globally unique. However, in this case packets will not be routed back and forth between the remote host and the security gateway unless the external network and corporate network have a ...

... intranet interface to the security gateway, an IKE Phase 1 SA is established ...

... between the Internet interface and the security gateway. A phase 2 (quick mode) DHCP ...

... UDP/port 68 in the quick mode exchange. The security gateway will use an IDcr payload of its own Internet address/UDP ...

... From remote host to security gateway: Any to Any, destination: UDP port 67 ...

... UDP port 67 From security gateway to remote host: Any to Any, destination: UDP port ...

... (DHCPDISCOVER or DHCPREQUEST) is then tunneled to the security gateway using the tunnel mode SA. Note that since the DHCPDISCOVER ...

... IPsec implementations on both the remote host and the security gateway must be capable of handling this. ...

... While other configurations are possible, typically the DHCPv4 server will not reside on the same machine as the security gateway, which will act as a DHCPv4 relay, inserting its address ...

... DHCPv4 relay, inserting its address in the "giaddr" field. In this case, the security gateway relays packets between the client and the DHCPv4 server ...

... on the client's behalf. While acting as a DHCP Relay, the security gateway MAY implement DHCP Relay load balancing as described in [19 ...

... Since DHCP Relays are stateless, the security gateway SHOULD insert appropriate information in the DHCP message prior to forwarding to ...

... DHCP message prior to forwarding to one or more DHCP servers. This enables the security gateway to route the corresponding DHCPOFFER ...

... tunnel. If the security gateway maintains a separate subnet for each IPsec ...

... interface address in the giaddr field. Alternatively, the security gateway can utilize the DHCP Relay Agent Information Option [17]. In ...

... client in order to route packets to it, the security gateway will typically snoop the yiaddr field within the DHCPACK ...

... interface then responds by creating a DHCPREQUEST message, which is tunneled to security gateway using the DHCP SA. ...

... which is forwarded down the DHCP SA by the security gateway. The remote host Internet ...

... IPsec tunnel mode SA to the security gateway. The remote host may now delete the DHCP ...

... DHCP messages subsequently sent by the DHCPv4 server will be forwarded by the security gateway (acting as a DHCP Relay) using the IPsec tunnel mode SA ...

... remote host and the Internet, it provides some added security in return for this, in that the corporate security gateway may now filter traffic ...

... some added security in return for this, in that the corporate security gateway may now filter traffic as it would if the remote host were physically located on the corporate network ...

... static routes to clients [20], etc. As noted in the security considerations, these mechanisms, while useful, do not enhance security since they can be evaded by a remote host ...

... 20], etc. As noted in the security considerations, these mechanisms, while useful, do not enhance security since they can be evaded by a remote host choosing its own IP address ...

5. Security Considerations

... Security Considerations ...

... using IPsec, and as a result the DHCP packets flowing between the remote host and the security gateway are authenticated and integrity ...

... integrity protected. However, since the security gateway acts as a DHCP Relay, no protection is afforded the DHCP packets ...

... protection is afforded the DHCP packets in the portion of the path between the security gateway and the DHCP server, unless DHCP authentication is used. ...

... access control mechanism. This is because a remote host can always set its own IP address and thus evade any security measures based on DHCP authentication. ...

... As a result, the assigned address MUST NOT be depended upon for security. Instead, the security gateway can use other techniques such as instantiating packet filters ...

... address MUST NOT be depended upon for security. Instead, the security gateway can use other techniques such as instantiating packet filters or quick mode ...

8. References

... Atkinson, R. and S. Kent, "Security Architecture for the Internet Protocol", RFC 2401(-> 4301^prop), November 1998. ...

... Kent, S. and R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406(-> 4305(-> 4835^prop) | 4303^prop), November 1998. ...

... Piper, D., "The Internet IP Security Domain of Interpretation of ISAKMP", RFC 2407(-> 4306^prop), November 1998. ...

10. Appendix - IKECFG evaluation

... IP address management system and in the security gateways themselves. Security ...

... security gateways themselves. Security and simplicity As past history with PPP IPCP ...

... DHCPv4. This duplication will greatly increase the scope of work, eventually compromising the security of IKE. ...

... DHCPv4 authentication [5]. This is because the security gateway will not typically have access to the client credentials ...

... client's behalf. As a result, security gateways implementing IKECFG typically request allocation of an IP address on their own behalf, and then assign this ...

... client via IKECFG. Since IKECFG does not support the concept of an address lease, the security gateway will need to do the renewal itself. This complicates the renewal process. ...

... DHCPACK will be sent directly to the client, which will not be expecting it. As a result, it is either necessary for the security gateway to add special code to avoid forwarding such packets, or to wait until REBINDING state. Since [3 ...

... giaddr field cannot be filled in when in the REBINDING state, the security gateway may put its own address in the giaddr field when in REBINDING state ...

A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W

Previous | Next

Frontpage | Contents | Keywords

RFC-Ref.org

Sister Sites

Chess-Ref.org
Law-Ref.org
InChI.info
Zvon.org