Security Gateway
Click on the red underlined text to get to the source
... host's ISP-assigned address to the corporate security
gateway. In IPv4, Dynamic Host Configuration Protocol (DHCP ...
... configuration
parameters assigned can be dependent on parameters included in
the DHCPDISCOVER. This makes it possible for the security
gateway to ensure that the remote host receives an IP address
...
... connect a remote host to a corporate intranet via a security gateway,
using IPsec tunnel mode ...
... A remote host on the Internet will connect to the security gateway
and then establish an IPsec tunnel ...
... source address
for all interactions with corporate resources. Note that this
implies that the corporate security gateway continues to recognize
the host's original, routable IP address ...
... address appears to the corporate network as though it were situated
behind a security gateway bearing the original routable IP address.
All the traffic ...
... intranet are also standardized. It is also assumed that the remote
host has knowledge of the location of the security gateway. This can
be accomplished via DNS, using either A, KX [23 ...
... remote host establishes an IKE security association with the
security gateway in a main mode or aggressive mode exchange. This
IKE SA then serves to secure additional quick mode ...
... DHCPv4 server. The traffic is protected between the remote
host and the security gateway using the DHCP SA established in
...
... tunnel.
Alternatively, the remote host and the security gateway MAY
continue to use the same SA for all subsequent traffic ...
... remote host establishes a
tunnel mode SA to the security gateway in a quick mode exchange.
In this case, the new address ...
... unique requirements of the remote host and the security gateway, they
are not described in this document. The mechanisms described here
work best when the VPN ...
... it will not be globally unique. However, in this case packets will
not be routed back and forth between the remote host and the security
gateway unless the external network and corporate network have a
...
... UDP/port 68 in the quick mode exchange. The security
gateway will use an IDcr payload of its own Internet address/UDP ...
... (DHCPDISCOVER or DHCPREQUEST) is then tunneled to the security
gateway using the tunnel mode SA. Note that since the DHCPDISCOVER
...
... IPsec implementations
on both the remote host and the security gateway must be capable of
handling this.
...
... While other configurations are possible, typically the DHCPv4 server
will not reside on the same machine as the security gateway, which
will act as a DHCPv4 relay, inserting its address ...
... DHCPv4 relay, inserting its address in the "giaddr"
field. In this case, the security gateway relays packets between the
client and the DHCPv4 server ...
... on the client's behalf. While acting as a DHCP Relay, the security
gateway MAY implement DHCP Relay load balancing as described in [19 ...
... Since DHCP Relays are stateless, the security gateway SHOULD insert
appropriate information in the DHCP message prior to forwarding to
...
... DHCP message prior to forwarding to
one or more DHCP servers. This enables the security gateway to route
the corresponding DHCPOFFER ...
... interface address in the giaddr field. Alternatively, the security
gateway can utilize the DHCP Relay Agent Information Option [17]. In
...
... client in order to route
packets to it, the security gateway will typically snoop the yiaddr
field within the DHCPACK ...
... interface then responds by creating a DHCPREQUEST message,
which is tunneled to security gateway using the DHCP SA.
...
... DHCP
messages subsequently sent by the DHCPv4 server will be forwarded by
the security gateway (acting as a DHCP Relay) using the IPsec tunnel
mode SA ...
... some added security in return for this, in that the corporate
security gateway may now filter traffic as it would if the remote
host were physically located on the corporate network ...
... using IPsec, and as a result the DHCP
packets flowing between the remote host and the security gateway are
authenticated and integrity ...
... integrity protected.
However, since the security gateway acts as a DHCP Relay, no
protection is afforded the DHCP packets ...
... protection is afforded the DHCP packets in the portion of the path
between the security gateway and the DHCP server, unless DHCP
authentication is used.
...
... address MUST NOT be depended upon for
security. Instead, the security gateway can use other techniques
such as instantiating packet filters or quick mode ...
... DHCPv4 authentication [5]. This is because the security
gateway will not typically have access to the client
credentials ...
... client's behalf.
As a result, security gateways implementing IKECFG typically request
allocation of an IP address on their own behalf, and then assign this
...
... client via IKECFG. Since IKECFG does not support the concept
of an address lease, the security gateway will need to do the renewal
itself. This complicates the renewal process.
...
... DHCPACK will be sent directly to the client, which will not be
expecting it. As a result, it is either necessary for the security
gateway to add special code to avoid forwarding such packets, or to
wait until REBINDING state. Since [3 ...
... giaddr field cannot be filled in when in the REBINDING state, the
security gateway may put its own address in the giaddr field when in
REBINDING state ...