IKEv2 Configuration Payload Integration

1
IKEv2Configuration Payload Integration
http//www.vpnc.org/temp-draft-lebovitz-ipsec-scal
able-ikev2cp-00.txt Full presentation -
http//www.employees.org/ddukes

• Darren Dukes, ddukes_at_cisco.com
• Gregory Lebovitz, gregory_at_netscreen.com

2
Agenda

• IRAC Configuration Problem
• The Configuration Payload
• Private Pools
• DHCP Assigned Addresses
• RADIUS Assigned Addresses

3
The IRAC Configuration Problem

• IPsec Remote Access Clients (IRACs) need to have
  a private IP address in order to specify TSi
  before creating CHILD-SAs.
• How do we assign a unique IP address to the
  client before creating CHILD-SAs?

4
The Configuration Payload

• Allows an IRAC to acquire bootstrapping
  configuration within IKEv2 IKE_AUTH exchange
• No extension of the IKE_AUTH exchange or new
  exchange (no phase 1.5)
• A generic mechanism to pass minimal bootstrapping
  parameters for CHILD-SA creation
• May be used with any configuration server, such
  as DHCP, RADIUS, LDAP, etc.

5
IP Address Bootstrapping

• CP(CFG_REQUEST) is sent by an IRAC in IKE_AUTH to
  request an IP address from an IPsec Remote Access
  Server (IRAS)
• IRAS processes the CP(CFG_REQUEST) and assigns an
  address to the IRAC from internal or external
  configuration servers
• IRAS sends a CP(CFG_REPLY) to IRAC with minimal
  IP address configuration so a CHILD-SA can
  establish.

6
CP and Private Pools
IKE Gtwy
IRAC (IKE-client)
IRAS
IKEv2 Message 1
HDR, SAi1, KEi, Ni
IKEv2 Message 2
HDR, SAr1, KEr, Nr, CERTREQ
IKEv2 Message 3
HDR, SK IDi, CERT, CERTREQ, IDr,
CP(CFG_REQUEST), SAi2, TSi, TSr
CFG_REPLY Internal_IP4_ADDR Internal_IP4_NETMASK
Internal_IP4_DNS Internal_IP4_NBNS
IKEv2 Message 4
HDR, SK IDr, CERT, AUTH, CP(CFG_REPLY), SAr2,
TSi, TSr
7
On-IRAS Pools

• A private pool of addresses may be configured
  locally on an IRAS and assigned to requesting
  IRACs
• Works for very small deployments
• Wont scale well for larger deployments.

8
OFF-IRAS Pools
RADIUS Database
IRAC (IKE-client)
DHCP Server
IKE Gateway
IRAS
Other Configuration Server
IRAS proxies the IRAC CP(CFG_REQUEST) for an IP
address to an external configuration server
9
Must be able to satisfy CP via DHCP

• DHCP is widely deployed for address assignment in
  LANs
• DHCP has many options that may be useful for an
  IRAC to retrieve

10
DHCP Assigned Addresses

• A DHCP server may be used to assign addresses to
  the IRAS on behalf of an IRAC
• IRAS is responsible for requesting IP addresses
  on a per-IRAC basis from the DHCP server when it
  receives a CP(CFG_REQUEST)
• IRAS sends the IP address and other minimal
  configuration to the IRAC via a CP(CFG_REPLY)
  once an address is retrieved

11
CP and DHCP
DHCP Server
IKE Gtwy
IRAC (IKE-client)
IRAS
IKEv2 Message 1
HDR, SAi1, KEi, Ni
IKEv2 Message 2
HDR, SAr1, KEr, Nr, CERTREQ
IKEv2 Message 3
Request address from DHCP Server
HDR, SK IDi, CERT, CERTREQ, IDr,
CP(CFG_REQUEST), SAi2, TSi, TSr
DHCPDISCOVER
DHCPOFFER
12
CP and DHCP
DHCP Server
IKE Gtwy
IRAC (IKE-client)
IRAS
DHCPREQUEST
Convert DHCP options to CP Attr
DHCPACK
CFG_REPLY Internal_IP4_ADDR Internal_IP4_NETMASK
Internal_IP4_DNS Internal_IP4_NBNS Internal_IP4_DH
CP
IKEv2 Message 4
HDR, SK IDr, CERT, AUTH, CP(CFG_REPLY), SAr2,
TSi, TSr
13
DHCPINFORM

• Further configuration may be requested from a
  DHCP server via the CHILD-SA

DHCP Server
IKE Gtwy
IRAC (IKE-client)
IRAS
DHCPINFORM
DHCPACK
14
EAP CP

• Initiator Responder
• ----------- -----------
• HDR, SAi1, KEi, Ni --gt
• lt-- HDR, SAr1,
  KEr, Nr, CERTREQ
• HDR, SK IDi, CERTREQ, IDr,
• CP, SAi2, TSi, TSr --gt
• lt-- HDR, SK
  IDr, CERT, AUTH,
• EAP
  
• HDR, SK EAP, AUTH --gt
• lt-- HDR, SK
  EAP, AUTH,
• 
  CP, SAr2, TSi, TSr

15
MUST be able to satisfy CPvia RADIUS

• Mature as a client configuration mechanism
• Widely implemented
• Predominant client configuration mechanism in use
  by ISPs and large enterprises today

16
CP w/ RADIUS needs EAP

• RADIUS is very user/pass centric. Needs them to
  perform db lookup. RFC 2865
• SHOULD send User-Name
• MUST send Password (User or CHAP)
• User entry in db contains list of requirements,
  and optional attributes.
• RADIUS attributes map to CP attributes

17
Host Configuration Attributes

• Radius RFC 2865 defines many attributes.
• Attributes extensible via Vendor Specific
  Attributes (VSAs)
• Attributes relative to CP

Pre-Defined VSA
- IP address - Prim/Secondary DNS
- Netmask - Prim/Secondary WINS
- Session Timeout
List not exhaustive
18
Example ACCEPT

• Accept shown next
• Reject is easy
• Challenge is mutation of Accept, but pretty
  close. (see the document for details).

19
ACCEPT
IKE Gtwy
RADIUS Database
IRAC (IKE-client)
IRAS
IKEv2 Message 1
HDR, SAi1, KEi, Ni
IKEv2 Message 2
HDR, SAr1, KEr, Nr, CERTREQ
IKEv2 Message 3
HDR, SK IDi, CERTREQ, IDr,
CP(CFG_REQUEST), SAi2, TSi, TSr
IKEv2 Message 4
HDR, SK IDr, CERT, AUTH, EAP
20
ACCEPT
IKE Gtwy
RADIUS Database
IRAC (IKE-client)
IRAS
IKEv2 Message 5
HDR, SK EAP, AUTH
Parse Usr/Pass From EAP, Map To RADIUS attr
RADIUS Access-Request
Usr, Pass
RADIUS Access-Accept
Framed-IP, Framed-Netmask, VSA(1), , VSA(n)
Convert RADIUS Attr to CP Attr
21
ACCEPT
IKE Gtwy
RADIUS Database
IRAC (IKE-client)
IRAS
RADIUS Accounting-Request
START
CFG_REPLY Internal_IPv4_ADDR Internal_IP4_Netmask
Internal_IP4_DNS Internal_IP4_NBNS
IKEv2 Message 6
HDR, SK EAP, AUTH, CP(CFG_REPLY), SAr2,
TSi, TSr
Upon Deletion Of IKE/CHILD SAs
RADIUS Accounting-Request
Release IP Back to Pool
STOP
22
Advancement

• Become WG document?
• If so, how to proceed?

23
Volunteers??

• Section for LDAP
• Section for DHCPv6.