Presentation is loading. Please wait.

Presentation is loading. Please wait.

IKEv2 Configuration Payload Integration

Published byAlbert Pitts Modified over 9 years ago

Similar presentations

Presentation on theme: "IKEv2 Configuration Payload Integration"— Presentation transcript:

1 IKEv2 Configuration Payload Integration
Full presentation - Darren Dukes, Gregory Lebovitz,

2 Agenda IRAC Configuration Problem The Configuration Payload
Private Pools DHCP Assigned Addresses RADIUS Assigned Addresses

3 The IRAC Configuration Problem
IPsec Remote Access Clients (IRACs) need to have a private IP address in order to specify TSi before creating CHILD-SAs. How do we assign a unique IP address to the client before creating CHILD-SAs?

4 The Configuration Payload
Allows an IRAC to acquire bootstrapping configuration within IKEv2 IKE_AUTH exchange No extension of the IKE_AUTH exchange or new exchange (no “phase 1.5”) A generic mechanism to pass minimal bootstrapping parameters for CHILD-SA creation May be used with any configuration server, such as DHCP, RADIUS, LDAP, etc.

5 IP Address Bootstrapping
CP(CFG_REQUEST) is sent by an IRAC in IKE_AUTH to request an IP address from an IPsec Remote Access Server (IRAS) IRAS processes the CP(CFG_REQUEST) and assigns an address to the IRAC from internal or external configuration servers IRAS sends a CP(CFG_REPLY) to IRAC with minimal IP address configuration so a CHILD-SA can establish.

6 CP and Private Pools IKE Gtwy IRAC (IKE-client) IRAS IKEv2 Message 1
HDR, SAi1, KEi, Ni IKEv2 Message 2 HDR, SAr1, KEr, Nr, [CERTREQ] IKEv2 Message 3 HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] CP(CFG_REQUEST), SAi2, TSi, TSr} CFG_REPLY: Internal_IP4_ADDR Internal_IP4_NETMASK Internal_IP4_DNS Internal_IP4_NBNS IKEv2 Message 4 HDR, SK {IDr, [CERT,] AUTH, CP(CFG_REPLY), SAr2, TSi, TSr }

7 On-IRAS Pools A private pool of addresses may be configured locally on an IRAS and assigned to requesting IRACs Works for very small deployments Won’t scale well for larger deployments.

8 OFF-IRAS Pools IKE Gateway
RADIUS Database IRAC (IKE-client) DHCP Server IKE Gateway IRAS Other Configuration Server IRAS proxies the IRAC CP(CFG_REQUEST) for an IP address to an external configuration server

9 Must be able to satisfy CP via DHCP
DHCP is widely deployed for address assignment in LANs DHCP has many options that may be useful for an IRAC to retrieve

10 DHCP Assigned Addresses
A DHCP server may be used to assign addresses to the IRAS on behalf of an IRAC IRAS is responsible for requesting IP addresses on a per-IRAC basis from the DHCP server when it receives a CP(CFG_REQUEST) IRAS sends the IP address and other minimal configuration to the IRAC via a CP(CFG_REPLY) once an address is retrieved

11 CP and DHCP IKE Gtwy DHCPDISCOVER DHCPOFFER DHCP Server
IRAC (IKE-client) IRAS IKEv2 Message 1 HDR, SAi1, KEi, Ni IKEv2 Message 2 HDR, SAr1, KEr, Nr, [CERTREQ] IKEv2 Message 3 Request address from DHCP Server HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] CP(CFG_REQUEST), SAi2, TSi, TSr} DHCPDISCOVER DHCPOFFER

12 CP and DHCP IKE Gtwy DHCPREQUEST DHCPACK DHCP Server IRAC (IKE-client)
IRAS DHCPREQUEST Convert DHCP options to CP Attr DHCPACK CFG_REPLY: Internal_IP4_ADDR Internal_IP4_NETMASK Internal_IP4_DNS Internal_IP4_NBNS Internal_IP4_DHCP IKEv2 Message 4 HDR, SK {IDr, [CERT,] AUTH, CP(CFG_REPLY), SAr2, TSi, TSr }

13 DHCPINFORM Further configuration may be requested from a DHCP server via the CHILD-SA DHCP Server IKE Gtwy IRAC (IKE-client) IRAS DHCPINFORM DHCPACK

14 EAP + CP Initiator Responder ----------- -----------
HDR, SAi1, KEi, Ni > < HDR, SAr1, KEr, Nr, [CERTREQ] HDR, SK {IDi, [CERTREQ,] [IDr,] [CP], SAi2, TSi, TSr} --> < HDR, SK {IDr, [CERT,] AUTH, EAP } HDR, SK {EAP, [AUTH] } > < HDR, SK {EAP, [AUTH], [CP], SAr2, TSi, TSr }

15 MUST be able to satisfy CP via RADIUS
Mature as a client configuration mechanism Widely implemented Predominant client configuration mechanism in use by ISPs and large enterprises today

16 CP w/ RADIUS needs EAP RADIUS is very user/pass centric. Needs them to perform db lookup. RFC 2865: SHOULD send User-Name MUST send Password (User or CHAP) User entry in db contains list of requirements, and optional attributes. RADIUS attributes map to CP attributes

17 Host Configuration Attributes
Radius [RFC 2865] defines many attributes. Attributes extensible via Vendor Specific Attributes (VSAs) Attributes relative to CP: Pre-Defined VSA - IP address - Prim/Secondary DNS - Netmask - Prim/Secondary WINS - Session Timeout * List not exhaustive

18 Example: ACCEPT Accept shown next Reject is easy
Challenge is mutation of Accept, but pretty close. (see the document for details).

19 ACCEPT IKE Gtwy RADIUS Database IRAC (IKE-client) IRAS IKEv2 Message 1
HDR, SAi1, KEi, Ni IKEv2 Message 2 HDR, SAr1, KEr, Nr, [CERTREQ] IKEv2 Message 3 HDR, SK {IDi, [CERTREQ,] [IDr,] [CP(CFG_REQUEST)], SAi2, TSi, TSr} IKEv2 Message 4 HDR, SK {IDr, [CERT,] AUTH, EAP }

20 ACCEPT IKE Gtwy RADIUS Database IRAC (IKE-client) IRAS IKEv2 Message 5
HDR, SK {EAP, [AUTH] } Parse Usr/Pass From EAP, Map To RADIUS attr RADIUS Access-Request Usr, Pass RADIUS Access-Accept Framed-IP, Framed-Netmask, VSA(1), …, VSA(n) Convert RADIUS Attr to CP Attr

21 ACCEPT IKE Gtwy RADIUS Database IRAC (IKE-client) IRAS RADIUS
Accounting-Request START CFG_REPLY: Internal_IPv4_ADDR Internal_IP4_Netmask Internal_IP4_DNS Internal_IP4_NBNS IKEv2 Message 6 HDR, SK {EAP, [AUTH], [CP(CFG_REPLY)], SAr2, TSi, TSr } Upon Deletion Of IKE/CHILD SA’s… RADIUS Accounting-Request Release IP Back to Pool STOP

22 Advancement Become WG document? If so, how to proceed?

23 Volunteers?? Section for LDAP Section for DHCPv6.

Download ppt "IKEv2 Configuration Payload Integration"

Similar presentations

Secure Pre-Shared Key Authentication for IKE

Secure Pre-Shared Key Authentication for IKE
EAP-Only Authentication in IKEv2 draft-eronen-ipsec-ikev2-eap-auth

EAP-Only Authentication in IKEv2 draft-eronen-ipsec-ikev2-eap-auth
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
DHCPv6.

DHCPv6.
Dynamic Host Configuration Protocol DHCP. Dynamic Host Configuration Protocol -- DHCP -- Networking protocol Obtains configuration information for operation.

Dynamic Host Configuration Protocol DHCP. Dynamic Host Configuration Protocol -- DHCP -- Networking protocol Obtains configuration information for operation.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.
Header and Payload Formats

Header and Payload Formats
IKEv2 extension: MOBIKE Faisal Memon Erik Weathers CS 259.

IKEv2 extension: MOBIKE Faisal Memon Erik Weathers CS 259.
1 Internet Networking Spring 2006 Tutorial 8 DNS and DHCP as UDP applications.

1 Internet Networking Spring 2006 Tutorial 8 DNS and DHCP as UDP applications.
Ch. 1 – Scaling IP Addresses NAT/PAT and DHCP CMPSC-358 (CCNA 4 ) Spring 2007.

Ch. 1 – Scaling IP Addresses NAT/PAT and DHCP CMPSC-358 (CCNA 4 ) Spring 2007.
IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.

IKE message flow IKE message flow always consists of a request followed by a response. It is the responsibility of the requester to ensure reliability.
RFC 2131 DHCP. Dynamic Host Configuration Protocol.

RFC 2131 DHCP. Dynamic Host Configuration Protocol.
DHCP (Dynamic Host Configuration Protocol) RD-CSY2001-2008/09.

DHCP (Dynamic Host Configuration Protocol) RD-CSY /09.
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,

Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
ERP for IKEv2 draft-nir-ipsecme-erx-01. Why ERP for IKEv2? RFC 5296 and the bis document define a quick re- authentication protocol for EAP. ERP requires.

ERP for IKEv2 draft-nir-ipsecme-erx-01. Why ERP for IKEv2? RFC 5296 and the bis document define a quick re- authentication protocol for EAP. ERP requires.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
1 Dynamic Host Configuration Protocol (DHCP). 2 Dynamic Assignment of IP addresses Dynamic assignment of IP addresses is desirable for several reasons:

1 Dynamic Host Configuration Protocol (DHCP). 2 Dynamic Assignment of IP addresses Dynamic assignment of IP addresses is desirable for several reasons:
DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP) BY: SAMHITA KAW IS 373.

DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP) BY: SAMHITA KAW IS 373.
DHCP Dynamic Host Configuration Protocol CIS 856: TCP/IP and Upper Layer Protocols Presented by Kyle Getz October 20, 2005.

DHCP Dynamic Host Configuration Protocol CIS 856: TCP/IP and Upper Layer Protocols Presented by Kyle Getz October 20, 2005.

Similar presentations

Ads by Google