idnits 2.17.1 draft-richardson-ipsec-dhcp-over-ike-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 105: '...er. The gateway SHOULD also append DH...' RFC 2119 keyword, line 128: '...the physical wire. This SA MUST be be...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 16, 2003) is 7733 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: 'CERTREQ' on line 75 ** Obsolete normative reference: RFC 1531 (ref. '1') (Obsoleted by RFC 1541) ** Obsolete normative reference: RFC 2408 (ref. '2') (Obsoleted by RFC 4306) Summary: 7 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Richardson 3 Internet-Draft SSW 4 Expires: August 17, 2003 February 16, 2003 6 A method for configuration of IPsec clients using DHCP 7 draft-richardson-ipsec-dhcp-over-ike-00.txt 9 Status of this Memo 11 This document is an Internet-Draft and is in full conformance with 12 all provisions of Section 10 of RFC2026. 14 Internet-Drafts are working documents of the Internet Engineering 15 Task Force (IETF), its areas, and its working groups. Note that 16 other groups may also distribute working documents as Internet- 17 Drafts. 19 Internet-Drafts are draft documents valid for a maximum of six months 20 and may be updated, replaced, or obsoleted by other documents at any 21 time. It is inappropriate to use Internet-Drafts as reference 22 material or to cite them other than as "work in progress." 24 The list of current Internet-Drafts can be accessed at http:// 25 www.ietf.org/ietf/1id-abstracts.txt. 27 The list of Internet-Draft Shadow Directories can be accessed at 28 http://www.ietf.org/shadow.html. 30 This Internet-Draft will expire on August 17, 2003. 32 Copyright Notice 34 Copyright (C) The Internet Society (2003). All Rights Reserved. 36 Table of Contents 38 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 4 39 2. Time sequence diagram . . . . . . . . . . . . . . . . . . . . . 5 40 3. Comparisons with mode-cfg . . . . . . . . . . . . . . . . . . . 6 41 4. Comparisons with DHCP-over-IPsec . . . . . . . . . . . . . . . . 7 42 References . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 43 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 44 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 9 46 Abstract 48 IPsec technology is frequently used for remote access scenarios. A 49 tunnel is established from a mobile node (such as a laptop) and an 50 IPsec gateway located at the Enterprise. The mobile node's tunnel 51 outer address is potentially any IP address on the Internet. The 52 mobile node's tunnel inner address should be an address from within 53 the enterprise. The assignment of this address should ideally be 54 done dynamically. 56 This document specifies a configuration mode called "DHCP over IKE". 57 The document specifies that the payload of a DHCP exchange should be 58 carried over an IKE phase 1 exchange. 60 1. Introduction 62 Intro about problem space for configuring clients with addresses. We 63 use [1] to with [2]. 65 2. Time sequence diagram 67 The setup consists of: 69 +--------+ +---------+ +--------+ 70 | client |=================| Security|---------| DHCP | 71 +--------+ | gateway | | server | 72 +---------+ +--------+ 74 HDR, SAi1, KEi, Ni --> 75 <-- HDR, SAr1, KEr, Nr, [CERTREQ] 77 HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] 78 AUTH, DHCP(disc)} --> 80 ---DHCP Discovery-> 81 <--DHCP Offer------ 83 <-- HDR, SK {IDr, [CERT,] AUTH, DHCP(offer))} 85 HDR, SK{SAi2, TSi, TSr, DHCP(request)}--> 86 ---DHCP request--> 87 <--DHCP ACK------- 89 <-- HDR, SK {SAr2, TSi, TSr, DHCP(ack)} 91 later, upon rekey, one does: 93 HDR, SK {SAi2, TSi, TSr, DHCP(request)}--> 94 ---DHCP request--> 95 <--DHCP ACK------- 97 <-- HDR, SK {SAr2, TSi, TSr, DHCP(ack)} 99 3. Comparisons with mode-cfg 101 From the point of view of the IKE implementor, this proposal is very 102 similar to mode configuration. There are two major differences: 103 inclusion of a DHCP client state machine into the client IKE, and the 104 IKEv2 gateway must encapsulate the DHCP payloads into a UDP packet 105 and relay them to a DHCP server. The gateway SHOULD also append DHCP 106 relay options to the end to signal to the DHCP server that it came 107 via IKEv2. 109 The major advantage of DHCP-over-IKE vs mode-cfg is that it leverages 110 all of the DHCP protocol infrastructure for configuration of the end 111 host. Further, it naturally interacts with the DHCP infrastructure 112 at the enterprise end. 114 4. Comparisons with DHCP-over-IPsec 116 The DHCP-over-IKE situation appears more complicated due to the 117 inclusion of the DHCP state machines into IKEv2. The major 118 complexity appears to be on the client. Note that this is an 119 illusion - in the DHCP-over-IPsec, the IKE on the client needs to 120 know what state the DHCP client it is so that it may act accordingly. 121 As such, the states are simply represented twice. Unless the 122 implementor is able to take advantage of an existing DHCP client 123 present on the OS, there is little savings in actual code. 125 DHCP-over-IPsec requires that a very strange IPsec SA be configured 126 for: 0.0.0.0/0:udp/67 <->0.0.0.0/0:udp/68. Note that extreme care 127 must be taken to make sure that this does not also catch packets 128 destined to the DHCP server on the physical wire. This SA MUST be be 129 torn down before any traffic is mis-directed on it. Further, it is 130 very difficult to configure a mobile system that must maintain 131 tunnels to two enterprises. 133 References 135 [1] Droms, R., "Dynamic Host Configuration Protocol", RFC 1531, 136 October 1993. 138 [2] Maughan, D., Schneider, M. and M. Schertler, "Internet Security 139 Association and Key Management Protocol (ISAKMP)", RFC 2408, 140 November 1998. 142 Author's Address 144 Michael C. Richardson 145 Sandelman Software Works 146 470 Dawson Avenue 147 Ottawa, ON K1Z 5V7 148 CA 150 EMail: mcr@sandelman.ottawa.on.ca 151 URI: http://www.sandelman.ottawa.on.ca/ 153 Full Copyright Statement 155 Copyright (C) The Internet Society (2003). All Rights Reserved. 157 This document and translations of it may be copied and furnished to 158 others, and derivative works that comment on or otherwise explain it 159 or assist in its implementation may be prepared, copied, published 160 and distributed, in whole or in part, without restriction of any 161 kind, provided that the above copyright notice and this paragraph are 162 included on all such copies and derivative works. However, this 163 document itself may not be modified in any way, such as by removing 164 the copyright notice or references to the Internet Society or other 165 Internet organizations, except as needed for the purpose of 166 developing Internet standards in which case the procedures for 167 copyrights defined in the Internet Standards process must be 168 followed, or as required to translate it into languages other than 169 English. 171 The limited permissions granted above are perpetual and will not be 172 revoked by the Internet Society or its successors or assigns. 174 This document and the information contained herein is provided on an 175 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 176 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 177 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 178 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 179 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 181 Acknowledgement 183 Funding for the RFC Editor function is currently provided by the 184 Internet Society.