DHCP Configuration of IPSEC Tunnel Mode Draft-ipsec-dhcp-08.txt Bernard Aboba Microsoft.

Slides:

Advertisements

Similar presentations

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

Advertisements

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

History DHCP was first defined as a standards track protocol in RFC 1531 in October 1993, as an extension to the Bootstrap Protocol (BOOTP). The motivation.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 13: Troubleshoot TCP/IP.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

RFC 2131 DHCP. Dynamic Host Configuration Protocol.

VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

Internet Protocol Security (IPSec)

K. Salah1 Security Protocols in the Internet IPSec.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Chapter 11: Dial-Up Connectivity in Remote Access Designs

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

DHCP for Multi-hop Wireless Ad-Hoc Networks Presented by William List.

DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP) BY: SAMHITA KAW IS 373.

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 16 Dynamic Host Configuration Protocol (DHCP)

Lesson 3 Introduction to Networking Concepts Lesson 3.

Dynamic Host Configuration Protocol (DHCP)

Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.

11 NETWORK PROTOCOLS AND SERVICES Chapter 10. Chapter 10: Network Protocols and Services2 NETWORK PROTOCOLS AND SERVICES  Identify how computers on TCP/IP.

Windows Internet Connection Sharing Dave Eitelbach Program Manager Networking And Communications Microsoft Corporation.

Scenario & Hands-on 7-1 VPN Configuration-PPTP

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Configuring Routing and Remote Access(RRAS) and Wireless Networking

Intranet, Extranet, Firewall. Intranet and Extranet.

Bootstrap and Autoconfiguration (DHCP)

COMS W COMS W Lecture 8. NAT, DHCP & Firewalls.

1 Dynamic Host Configuration Protocol (DHCP) Relates to Lab 7. Module about dynamic assignment of IP addresses with DHCP.

DHCP Dynamic Host Configuration Protocol Information management 2 Groep T Leuven – Information department 2/18 Agenda Introduction BOOTP.

Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.

Objectives Configure routing in Windows Server 2008 Configure Network Address Translation 1.

Chapter 13 – Network Security

1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.

DHCP Dynamic Host Configuration Protocol (RFC 2131) Michael Sadowsky CISC University of Delaware October 12, 2004 BOOTP Bootstrap Protocol (RFC.

1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.

VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 2: Configuring Network Protocols.

Chapter 8: Virtual LAN (VLAN)

1 Chapter 7: NAT in Internet and Intranet Designs Designs That Include NAT Essential NAT Design Concepts Data Protection in NAT Designs NAT Design Optimization.

DHCP Configuration of IPSEC Tunnel Mode Draft-ipsec-dhcp-05.txt Bernard Aboba Microsoft.

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 

BZUPAGES.COM BOOTP and DHCP The Bootstrap Protocol (BOOTP) is a client/server protocol that configures a diskless computer or a computer that is booted.

1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh.

Lectu re 1 Recap: “Operational” view of Internet r Internet: “network of networks” m Requires sending, receiving of messages r protocols control sending,

TCP/IP Protocol Suite DHCP The Dynamic Host Configuration Protocol (DHCP) provides static and dynamic address allocation that can be manual or automatic.

1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Dynamic Host Configuration Protocol (DHCP)

Routing with Windows Server 2003 Chapter 9. Objectives for this Chapter Manage Routing And Remote Access routing interfaces Manage packet filters Manage.

Using Routing and Remote Access Chapter Five. Exam Objectives in this Chapter:  Plan a routing strategy Identify routing protocols to use in a specified.

Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.

Allocating IP Addressing by Using Dynamic Host Configuration Protocol.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.

K. Salah1 Security Protocols in the Internet IPSec.

Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Introduction to Networking Technologies Dynamic Host Configuration Protocol (DHCP)

Windows Vista Configuration MCTS : Advanced Networking.

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.

Dynamic Host Configuration Protocol

Network Address Translation

IPSec VPN Chapter 13 of Malik.

Allocating IP Addressing by Using Dynamic Host Configuration Protocol

AbbottLink™ - IP Address Overview

Presentation transcript:

DHCP Configuration of IPSEC Tunnel Mode Draft-ipsec-dhcp-08.txt Bernard Aboba Microsoft

Outline Update Configuration Requirements Security Requirements DHCP usage Address pool selection Walkthrough Summary

Update Changes from draft –07 –Added references to IPSRA requirements draft, updated other references –Improved consistency of terminology –Added language on use of the assigned address in the quick mode exchange Issues –Use of assigned address in quick mode exchange –Tear down or reuse of the DHCP SA –New htype for VPN –Contents of client-identifier option

Configuration Requirements To obtain an IP address and other configuration parameters appropriate to the class of host To reconfigure when required To support failover –Want to be able to maintain address/configuration state between VPN server failures To integrate with existing IP address management facilities such as DHCP –Want single point of address and configuration management

Security Requirements To support address pool management –Examples Extranet where vendors, contractors, employees have different access levels, allocated out of different address pools Intranet where sales, marketing, engineering have different quality of service levels, allocated out of different pools To authenticate where required –Since DHCP server typically not co-located with VPN server, can’t assume access to IKE credentials –DHCP authentication required to prove claim of identity in the client-identifier-option

DHCP Packet Body Hardware address length (hlen), hardware type (htype), client hardware address (chaddr) –Should be unique to the segment client is connecting to –Hardware identifier tells VPN server/DHCP relay which VPN interface to forward DHCP messages to Client-identifier-option isn’t returned by DHCP server –LAN: Use interface hardware address –Dialup with no LAN adapter Use outer IP address + 2 random octets Issue: Not consistent between reboots, would cause new configuration to be returned on reboot Should a different htype be used for VPN? –Would make it easier for DHCP server to distinguish VPN clients

DHCP Options Client-identifier-option –Must be unique to client –Consistency between reboots helpful –Can use Htype/Chaddr combination as suggested in RFC 2132 If a LAN interface exists, can use Chaddr from that interface With no LAN interface (dialup case) can use IP address + two random octets –Not consistent between reboots, makes it difficult to support user or machine specific policies –Can use FQDN or NAI + interface number Consistent between reboots Makes it easier to administer DHCP authentication than using htype/chaddr; don’t want to change keys when LAN card changes Classless static route option –Draft-ietf-dhc-csr-03.txt –Replacement for RFC 2132 static route option

Address Pool Selection Support for existing methods for address pool selection –Client hardware address –Client-identifier option –Vendor-class-identifier option –Vendor-specific information option –Relay agent option –User class option –Subnet selection option –Host name option –Authentication option Can leverage conditional behavior of popular DHCP servers DHCP (even with authentication) is not an Access Control mechanism –Shouldn’t use address assignment as a way of restricting access; client can just choose its own IP address and get around the restrictions

Walkthrough The remote host establishes an IKE MM or AM security association with the VPN server. The remote host establishes a DHCP tunnel mode QM SA with the VPN server. –Filters From client to server: Any to Any, destination: UDP port 67 From server to client: Any to Any, destination: UDP port 68 DHCP messages are exchanged between the remote host and the DHCP server, using the VPN server as a DHCP relay, configuring the intranet interface of the remote host. –Security gateway needs to snoop the DHCPACK to learn the IP address assigned to the VPN interfaces The remote host MAY request deletion of the DHCP SA or the remote host and VPN server MAY continue to use the same SA for all subsequent traffic by adding temporary SPD selectors as with name ID types. The remote host establishes a tunnel mode SA to the VPN server in a quick mode exchange.