[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Modefg considered harmful
Hi Darren,
See my comments below.
>
> Regarding your comments about modecfg, there is no need for
> an address pool
> on the LargeIPsecGW since it could act as a DHCP-client when
> it receives
> modecfg requests from an IRAC instead of having its ipsec
> engine sniffing
> for inbound DHCP packets and forwarding them to the internal
> DHCP relay.
>
> Darren.
>
The IPSec engine must not sniff on DHCP packets. As said before,
implementing RFC3456 can IMHO happen almost completely outside the IKE and
IPSec code! More specific, a DHCP discover arriving via an IPSec tunnel has
a source address (0,0) and destination address (-1,-1). After passing
through the SPD, this packet must be delivered locally, that is, to the
internal IP host of the IPSec GW (see RFC1812-section 5.2.3). The local host
is configured with a DHCP relay that is listening on UDP port 67 (DHCP
server port). This DHCP relay can either forward the request to an internal
DHCP server or relay it to an external DHCP server. The only IPSec specific
item that the relay must take care of is that replies from the server must
end-up in the correct "DHCP-tunnel". This can be accomplished via the DHCP
Relay Information Option/sub-options. i.e. The DHCP relay must "tag" the
DHCP requests (e.g. with the Tunnel IP address, Tunnel port number) in the
direction towards the DHCP server and must "untag" the DHCP replies and use
this tag to look-up the correct tunnel in the direction towards the DHCP
client (see section 4.2 of RFC3456).
So to conclude:
- I don't have to touch the IKE code
- I don't have to touch IPSec code
- I might have to change DHCP relay code but this technology is well
understood
- my IP parameter distribution method is in-line with the rest of the
network infrastucture and inherits an existing and rich feature set.
Best regards - Dirk
For your convenience excerpted the relevant section on local delivery of
RFC1812 - Requirements for IP Version 4 Routers.
5.2.3 Local Delivery Decision
When a router receives an IP packet, it must decide whether the
packet is addressed to the router (and should be delivered locally)
or the packet is addressed to another system (and should be handled
by the forwarder). There is also a hybrid case, where certain IP
broadcasts and IP multicasts are both delivered locally and
forwarded. A router MUST determine which of the these three cases
applies using the following rules.
o An unexpired source route option is one whose pointer value does
not point past the last entry in the source route. If the packet
contains an unexpired source route option, the pointer in the
option is advanced until either the pointer does point past the
last address in the option or else the next address is not one of
the router's own addresses. In the latter (normal) case, the
packet is forwarded (and not delivered locally) regardless of the
rules below.
o The packet is delivered locally and not considered for forwarding
in the following cases:
- The packet's destination address exactly matches one of the
router's IP addresses,
- The packet's destination address is a limited broadcast address
({-1, -1}), or