Thursday, March 4, 2010

IPsec as WAN protocol for IPv6? Read on...

In recent past, I see the trend of using one Security Association (SA) for both IPv4 and IPv6 selectors. That is, if two sites are being secured using IPsec having IPv4 and IPv6 networks,  traffic from both IPv4 and IPv6 networks go on the same SA. Ofcourse, it is possible with IKEv2 only. IKEv2 has facility to send both IPv4 and IPv6 selectors together as part of CHILD_SA negotiation.

Remote Access Client (IRAC) traditionally used in mobiles and desktop/laptop end points. They connect to IRAS in corporate office, get private IP address and access corporate networks.

In IPv6,  IRAC is not only used in end points, but also increasingly being used in small office IPsec boxes. More interestingly, IPsec is being used to get the IP addresses for internal LAN machines from the ISP. In this case ISP runs IRAS.  That is,  IPsec is being used as WAN protocol.  The flow is some thing like this:

  • IRAC in CPE making IKEv2 connection to the IRAS in ISP.
  • IRAC requests IPv4 and IPv6 information from the IRAS using configuration payloads in one transaction.
    • IPv4 configuration attributes typically involve IP address, DNS Servers,  Remote Networks etc..,  
    • IPv6 configuration as described in IKEv2 RFC is not sufficient for this kind of deployment. RFC5739  defines the attributes which get
      • Multiple IPv6 prefixes
      • DHCPv6 Server address at IRAS end.
      • This standard expects the IRAC to get rest of information such as DNS Servers and any other information via DHCP to DHCPv6 Server address it gets through this exchange.
  • How IPv4 address would be used:
    • This is typically public IP address.
    • This is used for NAPT. 
    • DNS Servers and WINS Servers IRAC gets would get configured dynamically into DHCPv4 Server.
    • Local IPv4 machines are assigned with Private IP address via DHCP v4 Server.
  • How IPv6 information is applied
    • Since it gets multiple prefixes,  it can assign one address from each prefix to IRAC interface (Virtual Link interface) in additional to Link Local address.
    • Prefixes are configured with DHCPv6 Server on the LAN interfaces if stateful addressing is being advertised via RA on the LAN or to the RA Proxy which sends the prefixes in RA messages. If there are multiple LAN interfaces than the prefixes, then prefix need to be divided further and assign subset to each LAN interface.
    • Any information it gets through DHCP transaction with IRAS DHCP Server also might need to get populated in DHCPv6 Server on LANs (Stateful or Stateless).

Even though above deployment is mentioned as WAN access,  similar transaction can happen in corporate world.  Small home office or small sales offices in multiple locations can use similar mechanism to assign IPv6 address to local machines to communicate with IPv6 networks in corporate offices.

No comments: