240 likes | 378 Vues
IKEv2 Configuration Payload Integration. Darren Dukes, ddukes@cisco.com Gregory Lebovitz, gregory@netscreen.com. http://www.vpnc.org/temp-draft-lebovitz-ipsec-scalable-ikev2cp-00.txt Full presentation - http://www.employees.org/~ddukes. Agenda. IRAC Configuration Problem
E N D
IKEv2Configuration Payload Integration Darren Dukes, ddukes@cisco.com Gregory Lebovitz, gregory@netscreen.com http://www.vpnc.org/temp-draft-lebovitz-ipsec-scalable-ikev2cp-00.txt Full presentation - http://www.employees.org/~ddukes
Agenda • IRAC Configuration Problem • The Configuration Payload • Private Pools • DHCP Assigned Addresses • RADIUS Assigned Addresses
The IRAC Configuration Problem • IPsec Remote Access Clients (IRACs) need to have a private IP address in order to specify TSi before creating CHILD-SAs. • How do we assign a unique IP address to the client before creating CHILD-SAs?
The Configuration Payload • Allows an IRAC to acquire bootstrapping configuration within IKEv2 IKE_AUTH exchange • No extension of the IKE_AUTH exchange or new exchange (no “phase 1.5”) • A generic mechanism to pass minimal bootstrapping parameters for CHILD-SA creation • May be used with any configuration server, such as DHCP, RADIUS, LDAP, etc.
IP Address Bootstrapping • CP(CFG_REQUEST) is sent by an IRAC in IKE_AUTH to request an IP address from an IPsec Remote Access Server (IRAS) • IRAS processes the CP(CFG_REQUEST) and assigns an address to the IRAC from internal or external configuration servers • IRAS sends a CP(CFG_REPLY) to IRAC with minimal IP address configuration so a CHILD-SA can establish.
CP and Private Pools IKE Gtwy IRAC (IKE-client) IRAS IKEv2 Message 1 HDR, SAi1, KEi, Ni IKEv2 Message 2 HDR, SAr1, KEr, Nr, [CERTREQ] IKEv2 Message 3 HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] CP(CFG_REQUEST), SAi2, TSi, TSr} CFG_REPLY: Internal_IP4_ADDR Internal_IP4_NETMASK Internal_IP4_DNS Internal_IP4_NBNS IKEv2 Message 4 HDR, SK {IDr, [CERT,] AUTH, CP(CFG_REPLY), SAr2, TSi, TSr }
On-IRAS Pools • A private pool of addresses may be configured locally on an IRAS and assigned to requesting IRACs • Works for very small deployments • Won’t scale well for larger deployments.
OFF-IRAS Pools RADIUS Database IRAC (IKE-client) DHCP Server IKE Gateway IRAS Other Configuration Server IRAS proxies the IRAC CP(CFG_REQUEST) for an IP address to an external configuration server
Must be able to satisfy CP via DHCP • DHCP is widely deployed for address assignment in LANs • DHCP has many options that may be useful for an IRAC to retrieve
DHCP Assigned Addresses • A DHCP server may be used to assign addresses to the IRAS on behalf of an IRAC • IRAS is responsible for requesting IP addresses on a per-IRAC basis from the DHCP server when it receives a CP(CFG_REQUEST) • IRAS sends the IP address and other minimal configuration to the IRAC via a CP(CFG_REPLY) once an address is retrieved
CP and DHCP DHCP Server IKE Gtwy IRAC (IKE-client) IRAS IKEv2 Message 1 HDR, SAi1, KEi, Ni IKEv2 Message 2 HDR, SAr1, KEr, Nr, [CERTREQ] IKEv2 Message 3 Request address from DHCP Server HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] CP(CFG_REQUEST), SAi2, TSi, TSr} DHCPDISCOVER DHCPOFFER
CP and DHCP DHCP Server IKE Gtwy IRAC (IKE-client) IRAS DHCPREQUEST Convert DHCP options to CP Attr DHCPACK CFG_REPLY: Internal_IP4_ADDR Internal_IP4_NETMASK Internal_IP4_DNS Internal_IP4_NBNS Internal_IP4_DHCP IKEv2 Message 4 HDR, SK {IDr, [CERT,] AUTH, CP(CFG_REPLY), SAr2, TSi, TSr }
DHCPINFORM • Further configuration may be requested from a DHCP server via the CHILD-SA DHCP Server IKE Gtwy IRAC (IKE-client) IRAS DHCPINFORM DHCPACK
EAP + CP Initiator Responder ----------- ----------- HDR, SAi1, KEi, Ni --> <-- HDR, SAr1, KEr, Nr, [CERTREQ] HDR, SK {IDi, [CERTREQ,] [IDr,] [CP], SAi2, TSi, TSr} --> <-- HDR, SK {IDr, [CERT,] AUTH, EAP } HDR, SK {EAP, [AUTH] } --> <-- HDR, SK {EAP, [AUTH], [CP], SAr2, TSi, TSr }
MUST be able to satisfy CPvia RADIUS • Mature as a client configuration mechanism • Widely implemented • Predominant client configuration mechanism in use by ISPs and large enterprises today
CP w/ RADIUS needs EAP • RADIUS is very user/pass centric. Needs them to perform db lookup. RFC 2865: • SHOULD send User-Name • MUST send Password (User or CHAP) • User entry in db contains list of requirements, and optional attributes. • RADIUS attributes map to CP attributes
Host Configuration Attributes • Radius [RFC 2865] defines many attributes. • Attributes extensible via Vendor Specific Attributes (VSAs) • Attributes relative to CP: * List not exhaustive
Example: ACCEPT • Accept shown next • Reject is easy • Challenge is mutation of Accept, but pretty close. (see the document for details).
ACCEPT IKE Gtwy RADIUS Database IRAC (IKE-client) IRAS IKEv2 Message 1 HDR, SAi1, KEi, Ni IKEv2 Message 2 HDR, SAr1, KEr, Nr, [CERTREQ] IKEv2 Message 3 HDR, SK {IDi, [CERTREQ,] [IDr,] [CP(CFG_REQUEST)], SAi2, TSi, TSr} IKEv2 Message 4 HDR, SK {IDr, [CERT,] AUTH, EAP }
ACCEPT IKE Gtwy RADIUS Database IRAC (IKE-client) IRAS IKEv2 Message 5 HDR, SK {EAP, [AUTH] } Parse Usr/Pass From EAP, Map To RADIUS attr RADIUS Access-Request Usr, Pass RADIUS Access-Accept Framed-IP, Framed-Netmask, VSA(1), …, VSA(n) Convert RADIUS Attr to CP Attr
ACCEPT IKE Gtwy RADIUS Database IRAC (IKE-client) IRAS RADIUS Accounting-Request START CFG_REPLY: Internal_IPv4_ADDR Internal_IP4_Netmask Internal_IP4_DNS Internal_IP4_NBNS IKEv2 Message 6 HDR, SK {EAP, [AUTH], [CP(CFG_REPLY)], SAr2, TSi, TSr } Upon Deletion Of IKE/CHILD SA’s… RADIUS Accounting-Request Release IP Back to Pool STOP
Advancement • Become WG document? • If so, how to proceed?
Volunteers?? • Section for LDAP • Section for DHCPv6.