1 / 23

IKEv2 Configuration Payload Integration

IKEv2 Configuration Payload Integration. Darren Dukes, ddukes@cisco.com Gregory Lebovitz, gregory@netscreen.com. http://www.vpnc.org/temp-draft-lebovitz-ipsec-scalable-ikev2cp-00.txt Full presentation - http://www.employees.org/~ddukes. Agenda. IRAC Configuration Problem

giulio
Télécharger la présentation

IKEv2 Configuration Payload Integration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IKEv2Configuration Payload Integration Darren Dukes, ddukes@cisco.com Gregory Lebovitz, gregory@netscreen.com http://www.vpnc.org/temp-draft-lebovitz-ipsec-scalable-ikev2cp-00.txt Full presentation - http://www.employees.org/~ddukes

  2. Agenda • IRAC Configuration Problem • The Configuration Payload • Private Pools • DHCP Assigned Addresses • RADIUS Assigned Addresses

  3. The IRAC Configuration Problem • IPsec Remote Access Clients (IRACs) need to have a private IP address in order to specify TSi before creating CHILD-SAs. • How do we assign a unique IP address to the client before creating CHILD-SAs?

  4. The Configuration Payload • Allows an IRAC to acquire bootstrapping configuration within IKEv2 IKE_AUTH exchange • No extension of the IKE_AUTH exchange or new exchange (no “phase 1.5”) • A generic mechanism to pass minimal bootstrapping parameters for CHILD-SA creation • May be used with any configuration server, such as DHCP, RADIUS, LDAP, etc.

  5. IP Address Bootstrapping • CP(CFG_REQUEST) is sent by an IRAC in IKE_AUTH to request an IP address from an IPsec Remote Access Server (IRAS) • IRAS processes the CP(CFG_REQUEST) and assigns an address to the IRAC from internal or external configuration servers • IRAS sends a CP(CFG_REPLY) to IRAC with minimal IP address configuration so a CHILD-SA can establish.

  6. CP and Private Pools IKE Gtwy IRAC (IKE-client) IRAS IKEv2 Message 1 HDR, SAi1, KEi, Ni IKEv2 Message 2 HDR, SAr1, KEr, Nr, [CERTREQ] IKEv2 Message 3 HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] CP(CFG_REQUEST), SAi2, TSi, TSr} CFG_REPLY: Internal_IP4_ADDR Internal_IP4_NETMASK Internal_IP4_DNS Internal_IP4_NBNS IKEv2 Message 4 HDR, SK {IDr, [CERT,] AUTH, CP(CFG_REPLY), SAr2, TSi, TSr }

  7. On-IRAS Pools • A private pool of addresses may be configured locally on an IRAS and assigned to requesting IRACs • Works for very small deployments • Won’t scale well for larger deployments.

  8. OFF-IRAS Pools RADIUS Database IRAC (IKE-client) DHCP Server IKE Gateway IRAS Other Configuration Server IRAS proxies the IRAC CP(CFG_REQUEST) for an IP address to an external configuration server

  9. Must be able to satisfy CP via DHCP • DHCP is widely deployed for address assignment in LANs • DHCP has many options that may be useful for an IRAC to retrieve

  10. DHCP Assigned Addresses • A DHCP server may be used to assign addresses to the IRAS on behalf of an IRAC • IRAS is responsible for requesting IP addresses on a per-IRAC basis from the DHCP server when it receives a CP(CFG_REQUEST) • IRAS sends the IP address and other minimal configuration to the IRAC via a CP(CFG_REPLY) once an address is retrieved

  11. CP and DHCP DHCP Server IKE Gtwy IRAC (IKE-client) IRAS IKEv2 Message 1 HDR, SAi1, KEi, Ni IKEv2 Message 2 HDR, SAr1, KEr, Nr, [CERTREQ] IKEv2 Message 3 Request address from DHCP Server HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] CP(CFG_REQUEST), SAi2, TSi, TSr} DHCPDISCOVER DHCPOFFER

  12. CP and DHCP DHCP Server IKE Gtwy IRAC (IKE-client) IRAS DHCPREQUEST Convert DHCP options to CP Attr DHCPACK CFG_REPLY: Internal_IP4_ADDR Internal_IP4_NETMASK Internal_IP4_DNS Internal_IP4_NBNS Internal_IP4_DHCP IKEv2 Message 4 HDR, SK {IDr, [CERT,] AUTH, CP(CFG_REPLY), SAr2, TSi, TSr }

  13. DHCPINFORM • Further configuration may be requested from a DHCP server via the CHILD-SA DHCP Server IKE Gtwy IRAC (IKE-client) IRAS DHCPINFORM DHCPACK

  14. EAP + CP Initiator Responder ----------- ----------- HDR, SAi1, KEi, Ni --> <-- HDR, SAr1, KEr, Nr, [CERTREQ] HDR, SK {IDi, [CERTREQ,] [IDr,] [CP], SAi2, TSi, TSr} --> <-- HDR, SK {IDr, [CERT,] AUTH, EAP } HDR, SK {EAP, [AUTH] } --> <-- HDR, SK {EAP, [AUTH], [CP], SAr2, TSi, TSr }

  15. MUST be able to satisfy CPvia RADIUS • Mature as a client configuration mechanism • Widely implemented • Predominant client configuration mechanism in use by ISPs and large enterprises today

  16. CP w/ RADIUS needs EAP • RADIUS is very user/pass centric. Needs them to perform db lookup. RFC 2865: • SHOULD send User-Name • MUST send Password (User or CHAP) • User entry in db contains list of requirements, and optional attributes. • RADIUS attributes map to CP attributes

  17. Host Configuration Attributes • Radius [RFC 2865] defines many attributes. • Attributes extensible via Vendor Specific Attributes (VSAs) • Attributes relative to CP: * List not exhaustive

  18. Example: ACCEPT • Accept shown next • Reject is easy • Challenge is mutation of Accept, but pretty close. (see the document for details).

  19. ACCEPT IKE Gtwy RADIUS Database IRAC (IKE-client) IRAS IKEv2 Message 1 HDR, SAi1, KEi, Ni IKEv2 Message 2 HDR, SAr1, KEr, Nr, [CERTREQ] IKEv2 Message 3 HDR, SK {IDi, [CERTREQ,] [IDr,] [CP(CFG_REQUEST)], SAi2, TSi, TSr} IKEv2 Message 4 HDR, SK {IDr, [CERT,] AUTH, EAP }

  20. ACCEPT IKE Gtwy RADIUS Database IRAC (IKE-client) IRAS IKEv2 Message 5 HDR, SK {EAP, [AUTH] } Parse Usr/Pass From EAP, Map To RADIUS attr RADIUS Access-Request Usr, Pass RADIUS Access-Accept Framed-IP, Framed-Netmask, VSA(1), …, VSA(n) Convert RADIUS Attr to CP Attr

  21. ACCEPT IKE Gtwy RADIUS Database IRAC (IKE-client) IRAS RADIUS Accounting-Request START CFG_REPLY: Internal_IPv4_ADDR Internal_IP4_Netmask Internal_IP4_DNS Internal_IP4_NBNS IKEv2 Message 6 HDR, SK {EAP, [AUTH], [CP(CFG_REPLY)], SAr2, TSi, TSr } Upon Deletion Of IKE/CHILD SA’s… RADIUS Accounting-Request Release IP Back to Pool STOP

  22. Advancement • Become WG document? • If so, how to proceed?

  23. Volunteers?? • Section for LDAP • Section for DHCPv6.

More Related