1 / 16

BOF Profiling Use of PKI in IPsec pki4ipsec

BOF Profiling Use of PKI in IPsec pki4ipsec. Chairs: Gregory M Lebovitz ( gregory@netscreen.com ) Steve Hanna (steve.hanna@sun.com). Agenda. Agenda Bashing - 5 min Summary of Effort - 5 min Needs Assessment, Steve Hanna – 5 min, Architecture - 15 min Review Existing Docs/Text - 45 min

sfortenberry
Download Presentation

BOF Profiling Use of PKI in IPsec pki4ipsec

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BOFProfiling Use of PKI in IPsecpki4ipsec Chairs: Gregory M Lebovitz (gregory@netscreen.com) Steve Hanna (steve.hanna@sun.com) Pki4ipsec-nov03-agenda

  2. Agenda • Agenda Bashing - 5 min • Summary of Effort - 5 min • Needs Assessment, Steve Hanna – 5 min, • Architecture - 15 min • Review Existing Docs/Text - 45 min • Charter Bashing - 45 min • Next Steps - 10 min Pki4ipsec-nov03-agenda

  3. Architecture • Presentation http://www.projectdploy.com/draft-dploy-requirements-00.pdf • Review and discussion Pki4ipsec-nov03-agenda

  4. Current Profile Text/Thought • draft-ietf-ipsec-pki-profile-03.txt – Korver • Dploy draft – Gregory Lebovitz http://www.projectdploy.com/draft-dploy-requirements-00.pdf • Certificate Handling Profiles – P. Hoffman http://www.vpnc.org/ipsec-pki-profile.pdf • Clarifying questions on Current Text Pki4ipsec-nov03-agenda

  5. Scope • IPsec Scenarios: s2s VPN and Secure Remote Access VPN • CMC as the certificate lifecycle management protocol Pki4ipsec-nov03-agenda

  6. Proposed Charter Items • Requirement Document • Profile Documents • Certificate Format & Contents • Certificate Usage and IPsec Payloads (IKEv1, IKEv2) • Certificate Request/Retrieval by IPsec Peer • Certificate Lifecycle Management (renewal, revocation, validation • Implementation and Interoperability report Pki4ipsec-nov03-agenda

  7. Timeline • 1 year Pki4ipsec-nov03-agenda

  8. Next Steps Pki4ipsec-nov03-agenda

  9. BACKUP SLIDES FOLLOW Pki4ipsec-nov03-agenda

  10. Open Issues • IKEv1 and IKEv2? in one doc or two docs? • V1 - Need a way to determine which of potentially many certs is end entity cert. Could send EECert as first one? • V1 Should ID_ipv4/v6_addr, ID_FQDN, ID_USER_FQDN all be MUSTs? Right now only _ADDR is MUST. Is that enough for broad interop? Pki4ipsec-nov03-agenda

  11. Need ID for… • How to find EE cert • To lookup policy for IKE • Authentication – understand who the sender claims to be, and use to verify they are who says they are • Authorization - To determine IPsec Access Control and treatment • Logging / Auditing – something meaningful to the network/device operations teams Anything else missing? Pki4ipsec-nov03-agenda

  12. Places to Find ID Elements • IKE ID Payload • Cert – SubjectAltName types • Cert – DN fields/types • Any one, or combo Pki4ipsec-nov03-agenda

  13. IKEv1 Checking Options • Fill in IKE ID payload /w something in Cert SubjectAltName and check that the two match • Just present Cert, and let receiving peer’s local policy determine what they extract and use as ID • Fill in ID w/ something to match IKE SPD entry on receiving peer, then use some SubjectAltName field (as defined by local policy) to do ACL lookup and IPsec SA setup Pki4ipsec-nov03-agenda

  14. IKEv1 and IKEv2 • IKEv1 – we will spend most of our time profiling for IKEv1. We will prioritize this. • IKEv2 Pki4ipsec-nov03-agenda

  15. Revocation • Philosophy question: • Do we profile use of PKI for authorization Pki4ipsec-nov03-agenda

  16. Contentious Issues to Decide Issue • Revocation Method and Impact on Cert contents and IKE payloads • Identity and its correlation to Authentication and Authorization • Do Request and Retrieval Impact the format and payloads document? Or orthogonal. Pki4ipsec-nov03-agenda

More Related