[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Discovery of tunnel server from ISP POP




A number of short-comings are leveled at IPSEC regarding address
assignment mechanisms.  The DHCP+ISAKMP draft covers the allocation of
an Intranet address,  but how does an IPSEC client discover the Internet
address of the IPSEC Security Gateway?

In the L2TP model, the tunnel is connected by the ISP 'LAC'  once the
client has been authenticated via PPP PAP/CHAP.  The LAC knows where the
appropriate tunnel end-point is.

For IPSEC, could the ISP also offer security gateway address resolution?
For example, an extension to the PPP IPCP NCP could allow the ISP to
deliver the Internet address of the IPSEC security Gateway for a given
client (identified in the same way, PAP/CHAP).  Ideally, this support
would allow a list of addresses to be supplied in a similar way to the
passing of Primary and Secondary DNS servers via IPCP.  This would allow
the client to re-connect should a primary server fail or become
unreachable.

Is this worth a (very short) draft proposing an extension to IPCP?
Since this exchange provides Internet addresses,  is there any need to
protect/encrypt this information?  If there is, then things start to get
messy (arranging encrypted sessions with the ISP POP).  The L2TP LAC
model avoids this sticky issue of IPCP exchanges in the clear since PPP
encryption has picked in with the tunnel server by the time IPCP
starts-up.

Regards, Steve.
(I'm not getting copied on the dist-list yet, so any reply needs to come
direct).  





Follow-Ups: