Dynamic Host Configuration Protocol (DHCPv4) Configuration of IPsec Tunnel Mode
RFC 3456
Document Type RFC - Proposed Standard (January 2003; No errata)
Last updated 2015-10-14
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3456 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Steven Bellovin
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                           B. Patel
Request for Comments: 3456                                    Intel Corp
Category: Standards Track                                       B. Aboba
                                                               Microsoft
                                                                S. Kelly
                                                               Airespace
                                                                V. Gupta
                                                  Sun Microsystems, Inc.
                                                            January 2003

              Dynamic Host Configuration Protocol (DHCPv4)
                   Configuration of IPsec Tunnel Mode

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   This memo explores the requirements for host configuration in IPsec
   tunnel mode, and describes how the Dynamic Host Configuration
   Protocol (DHCPv4) may be leveraged for configuration.  In many remote
   access scenarios, a mechanism for making the remote host appear to be
   present on the local corporate network is quite useful.  This may be
   accomplished by assigning the host a "virtual" address from the
   corporate network, and then tunneling traffic via IPsec from the
   host's ISP-assigned address to the corporate security gateway.  In
   IPv4, DHCP provides for such remote host configuration.

Patel, et. al.              Standards Track                     [Page 1]
RFC 3456          DHCPv4 Config. of IPsec Tunnel Mode       January 2003

Table of Contents

   1. Introduction...................................................  2
     1.1 Terminology.................................................  2
     1.2 Requirements Language.......................................  3
   2. IPsec tunnel mode configuration requirements...................  3
     2.1 DHCP configuration evaluation...............................  3
     2.2 Summary.....................................................  4
   3. Scenario overview..............................................  4
     3.1 Configuration walk-through..................................  5
   4. Detailed description...........................................  6
     4.1 DHCPDISCOVER message processing.............................  6
     4.2 DHCP Relay behavior.........................................  9
     4.3 DHCPREQUEST message processing.............................. 10
     4.4 DHCPACK message processing.................................. 10
     4.5 Configuration policy........................................ 11
   5. Security Considerations........................................ 11
   6. IANA Considerations............................................ 12
   7. Intellectual Property Statement................................ 12
   8. References..................................................... 13
     8.1 Normative References........................................ 13
     8.2 Informative References...................................... 13
   9. Acknowledgments................................................ 14
   Appendix - IKECFG evaluation...................................... 15
   Authors' Addresses................................................ 17
   Full Copyright Statement ......................................... 18

1.  Introduction

   In many remote access scenarios, a mechanism for making the remote
   host appear to be present on the local corporate network is quite
   useful.  This may be accomplished by assigning the host a "virtual"
   address from the corporate network, and then tunneling traffic via
   IPsec from the host's ISP-assigned address to the corporate security
   gateway.  In IPv4, Dynamic Host Configuration Protocol (DHCP) [3]
   provides for such remote host configuration. This document explores
   the requirements for host configuration in IPsec tunnel mode, and
   describes how DHCPv4 may be leveraged for configuration.

1.1.  Terminology

   This document uses the following terms:

   DHCP client
         A DHCP client or "client" is an Internet host using DHCP to
         obtain configuration parameters such as a network address.

Patel, et. al.              Standards Track                     [Page 2]
RFC 3456          DHCPv4 Config. of IPsec Tunnel Mode       January 2003

   DHCP server
         A DHCP server or "server" is an Internet host that returns
         configuration parameters to DHCP clients.

1.2.  Requirements language

   In this document, the key words "MAY", "MUST, "MUST NOT", "optional",
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools