IKEv2 Configuration Payload Integration http://www.vpnc.org/temp-draft-lebovitz-ipsec-scalable-ikev2cp-00.txt Full presentation - http://www.employees.org/~ddukes Darren Dukes, ddukes@cisco.com Gregory Lebovitz, gregory@netscreen.com

Agenda IRAC Configuration Problem The Configuration Payload Private Pools DHCP Assigned Addresses RADIUS Assigned Addresses

The IRAC Configuration Problem IPsec Remote Access Clients (IRACs) need to have a private IP address in order to specify TSi before creating CHILD-SAs. How do we assign a unique IP address to the client before creating CHILD-SAs?

The Configuration Payload Allows an IRAC to acquire bootstrapping configuration within IKEv2 IKE_AUTH exchange No extension of the IKE_AUTH exchange or new exchange (no “phase 1.5”) A generic mechanism to pass minimal bootstrapping parameters for CHILD-SA creation May be used with any configuration server, such as DHCP, RADIUS, LDAP, etc.

IP Address Bootstrapping CP(CFG_REQUEST) is sent by an IRAC in IKE_AUTH to request an IP address from an IPsec Remote Access Server (IRAS) IRAS processes the CP(CFG_REQUEST) and assigns an address to the IRAC from internal or external configuration servers IRAS sends a CP(CFG_REPLY) to IRAC with minimal IP address configuration so a CHILD-SA can establish.

CP and Private Pools IKE Gtwy IRAC (IKE-client) IRAS IKEv2 Message 1 HDR, SAi1, KEi, Ni IKEv2 Message 2 HDR, SAr1, KEr, Nr, [CERTREQ] IKEv2 Message 3 HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] CP(CFG_REQUEST), SAi2, TSi, TSr} CFG_REPLY: Internal_IP4_ADDR Internal_IP4_NETMASK Internal_IP4_DNS Internal_IP4_NBNS IKEv2 Message 4 HDR, SK {IDr, [CERT,] AUTH, CP(CFG_REPLY), SAr2, TSi, TSr }

On-IRAS Pools A private pool of addresses may be configured locally on an IRAS and assigned to requesting IRACs Works for very small deployments Won’t scale well for larger deployments.

OFF-IRAS Pools IKE Gateway RADIUS Database IRAC (IKE-client) DHCP Server IKE Gateway IRAS Other Configuration Server IRAS proxies the IRAC CP(CFG_REQUEST) for an IP address to an external configuration server

Must be able to satisfy CP via DHCP DHCP is widely deployed for address assignment in LANs DHCP has many options that may be useful for an IRAC to retrieve

DHCP Assigned Addresses A DHCP server may be used to assign addresses to the IRAS on behalf of an IRAC IRAS is responsible for requesting IP addresses on a per-IRAC basis from the DHCP server when it receives a CP(CFG_REQUEST) IRAS sends the IP address and other minimal configuration to the IRAC via a CP(CFG_REPLY) once an address is retrieved

CP and DHCP IKE Gtwy DHCPDISCOVER DHCPOFFER DHCP Server IRAC (IKE-client) IRAS IKEv2 Message 1 HDR, SAi1, KEi, Ni IKEv2 Message 2 HDR, SAr1, KEr, Nr, [CERTREQ] IKEv2 Message 3 Request address from DHCP Server HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] CP(CFG_REQUEST), SAi2, TSi, TSr} DHCPDISCOVER DHCPOFFER

CP and DHCP IKE Gtwy DHCPREQUEST DHCPACK DHCP Server IRAC (IKE-client) IRAS DHCPREQUEST Convert DHCP options to CP Attr DHCPACK CFG_REPLY: Internal_IP4_ADDR Internal_IP4_NETMASK Internal_IP4_DNS Internal_IP4_NBNS Internal_IP4_DHCP IKEv2 Message 4 HDR, SK {IDr, [CERT,] AUTH, CP(CFG_REPLY), SAr2, TSi, TSr }

DHCPINFORM Further configuration may be requested from a DHCP server via the CHILD-SA DHCP Server IKE Gtwy IRAC (IKE-client) IRAS DHCPINFORM DHCPACK

EAP + CP Initiator Responder ----------- ----------- ----------- ----------- HDR, SAi1, KEi, Ni --> <-- HDR, SAr1, KEr, Nr, [CERTREQ] HDR, SK {IDi, [CERTREQ,] [IDr,] [CP], SAi2, TSi, TSr} --> <-- HDR, SK {IDr, [CERT,] AUTH, EAP } HDR, SK {EAP, [AUTH] } --> <-- HDR, SK {EAP, [AUTH], [CP], SAr2, TSi, TSr }

MUST be able to satisfy CP via RADIUS Mature as a client configuration mechanism Widely implemented Predominant client configuration mechanism in use by ISPs and large enterprises today

CP w/ RADIUS needs EAP RADIUS is very user/pass centric. Needs them to perform db lookup. RFC 2865: SHOULD send User-Name MUST send Password (User or CHAP) User entry in db contains list of requirements, and optional attributes. RADIUS attributes map to CP attributes

Host Configuration Attributes Radius [RFC 2865] defines many attributes. Attributes extensible via Vendor Specific Attributes (VSAs) Attributes relative to CP: Pre-Defined VSA - IP address - Prim/Secondary DNS - Netmask - Prim/Secondary WINS - Session Timeout * List not exhaustive

Example: ACCEPT Accept shown next Reject is easy Challenge is mutation of Accept, but pretty close. (see the document for details).

ACCEPT IKE Gtwy RADIUS Database IRAC (IKE-client) IRAS IKEv2 Message 1 HDR, SAi1, KEi, Ni IKEv2 Message 2 HDR, SAr1, KEr, Nr, [CERTREQ] IKEv2 Message 3 HDR, SK {IDi, [CERTREQ,] [IDr,] [CP(CFG_REQUEST)], SAi2, TSi, TSr} IKEv2 Message 4 HDR, SK {IDr, [CERT,] AUTH, EAP }

ACCEPT IKE Gtwy RADIUS Database IRAC (IKE-client) IRAS IKEv2 Message 5 HDR, SK {EAP, [AUTH] } Parse Usr/Pass From EAP, Map To RADIUS attr RADIUS Access-Request Usr, Pass RADIUS Access-Accept Framed-IP, Framed-Netmask, VSA(1), …, VSA(n) Convert RADIUS Attr to CP Attr

ACCEPT IKE Gtwy RADIUS Database IRAC (IKE-client) IRAS RADIUS Accounting-Request START CFG_REPLY: Internal_IPv4_ADDR Internal_IP4_Netmask Internal_IP4_DNS Internal_IP4_NBNS IKEv2 Message 6 HDR, SK {EAP, [AUTH], [CP(CFG_REPLY)], SAr2, TSi, TSr } Upon Deletion Of IKE/CHILD SA’s… RADIUS Accounting-Request Release IP Back to Pool STOP

Advancement Become WG document? If so, how to proceed?

Volunteers?? Section for LDAP Section for DHCPv6.