Balaji J writes: > Can i know why is the DHCP allocated IP scenario not considered in > IKEv2 RFC or any separate RFC(like RFC3456 for IKEv1)?
It was considered, but working group decided that it is too complicated and decided to include built in support for address allocation using configuration payloads. During the discussion in 2003 we had 2 major proposals, either using DHCP over IKE or using configuration payloads. The DHCP inside the IPsec tunnel was already mostly ruled out as it was only done in first place because ipsec working group was forbidden to modify ike, so that was only option. If you are interested in the history and reasons why we did select configuration payload you can see the discussion in the ipsec list around year 2003. This thread seems to be the deciding one: http://www.vpnc.org/ietf-ipsec/03.ipsec/msg00954.html > Is it only because of CONFIG_PAYLOAD is capable of providing IP to IRAC > during IKEv2 negotiation itself. Yes. None of the implementors really liked the way to use dhcp over IPsec tunnel to get configuration. That was only made because we could not change IKE. There are very few implementions who ever supported that RFC3456. > What happens when some corporate network providing vpn service to > its employees want to allocate IP to their IRAC ipsec clients > through their DHCP server rather than through IKEv2 configuration > payload. They will either implement some kind of dhcp proxy system where the VPN gateway will act as dhcp client and get addresses from the dhcp server and then give them out in the configuration payloads, or they simply use separate pool of addresses for the remote access users and give them out directly from the vpn gateway. This last method is much more common, as it also solves the routing problems, i.e. that address pool can be such address set that they are always routed to the vpn gateway, without any need of proxy arping or similar. > Is it not a use-case or is this scenario is not expected or was > there any draft version also addressing this scenario for ikev2? In normal case it is assumed that corporates will use separate pools of address for local users and for remote access users, and the local addresses are given out from dhcp server and remote access addresses are given out using configuration payload. If needed the remote access addresses can also be fetched from the radius server, i.e. when the user authenticates himself using EAP or similar the radius server also returns the address to be given to that user. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
