[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Modefg considered harmful

To: "'ddukes@cisco.com'" <ddukes@cisco.com>, Michael Richardson <mcr@sandelman.ottawa.on.ca>, ipsec@lists.tislabs.com
Subject: RE: Modefg considered harmful
From: Van Aken Dirk <VanAkenD@thmulti.com>
Date: Wed, 5 Feb 2003 10:11:40 +0100
Cc: "Scott G. Kelly" <scott@bstormnetworks.com>
Sender: owner-ipsec@lists.tislabs.com

Hi Darren,

See my comments below.

> 
> Regarding your comments about modecfg, there is no need for 
> an address pool
> on the LargeIPsecGW since it could act as a DHCP-client when 
> it receives
> modecfg requests from an IRAC instead of having its ipsec 
> engine sniffing
> for inbound DHCP packets and forwarding them to the internal 
> DHCP relay.
> 
> Darren.
> 

The IPSec engine must not sniff on DHCP packets. As said before,
implementing RFC3456 can IMHO happen almost completely outside the IKE and
IPSec code! More specific, a DHCP discover arriving via an IPSec tunnel has
a source address (0,0) and destination address (-1,-1). After passing
through the SPD, this packet must be delivered locally, that is, to the
internal IP host of the IPSec GW (see RFC1812-section 5.2.3). The local host
is configured with a DHCP relay that is listening on UDP port 67 (DHCP
server port). This DHCP relay can either forward the request to an internal
DHCP server or relay it to an external DHCP server. The only IPSec specific
item that the relay must take care of is that replies from the server must
end-up in the correct "DHCP-tunnel". This can be accomplished via the DHCP
Relay Information Option/sub-options. i.e. The DHCP relay must "tag" the
DHCP requests (e.g. with the Tunnel IP address, Tunnel port number) in the
direction towards the DHCP server and must "untag" the DHCP replies and use
this tag to look-up the correct tunnel in the direction towards the DHCP
client (see section 4.2 of RFC3456).

So to conclude:
- I don't have to touch the IKE code
- I don't have to touch IPSec code
- I might have to change DHCP relay code but this technology is well
understood
- my IP parameter distribution method is in-line with the rest of the
network infrastucture and inherits an existing and rich feature set.

 
Best regards - Dirk


For your convenience excerpted the relevant section on local delivery of
RFC1812 - Requirements for IP Version 4 Routers.

5.2.3 Local Delivery Decision

   When a router receives an IP packet, it must decide whether the
   packet is addressed to the router (and should be delivered locally)
   or the packet is addressed to another system (and should be handled
   by the forwarder).  There is also a hybrid case, where certain IP
   broadcasts and IP multicasts are both delivered locally and
   forwarded.  A router MUST determine which of the these three cases
   applies using the following rules.


   o An unexpired source route option is one whose pointer value does
      not point past the last entry in the source route.  If the packet
      contains an unexpired source route option, the pointer in the
      option is advanced until either the pointer does point past the
      last address in the option or else the next address is not one of
      the router's own addresses.  In the latter (normal) case, the
      packet is forwarded (and not delivered locally) regardless of the
      rules below.

   o The packet is delivered locally and not considered for forwarding
      in the following cases:

      - The packet's destination address exactly matches one of the
         router's IP addresses,

      - The packet's destination address is a limited broadcast address
         ({-1, -1}), or

Follow-Ups:
- RE: Modefg considered harmful
  - From: Tylor Allison <allison@securecomputing.com>
- Re: Modefg considered harmful
  - From: Derek Atkins <derek@ihtfp.com>

Prev by Date: RE: WG Last Call draft-ietf-ipsec-dpd-01.txt
Next by Date: Re: Modefg considered harmful
Prev by thread: Re: Modefg considered harmful
Next by thread: RE: Modefg considered harmful
Index(es):
- Date
- Thread