Profiling Use of PKI in IPSEC BOF (pki4ipsec)

Thursday, November 13 at 0900-1130
==================================

CHAIRS: Gregory M. Lebovitz ([email protected])
       Trevor Freeman  ([email protected])

AGENDA:

  Agenda Bashing - 10 min
  Summary of Effort - 10 min
  Architecture - 15 min
    http://www.projectdploy.com/draft-dploy-requirements-00.pdf
  Discussion on Architecture - 15 min
  Review Current Docs - 30 min
    Profile Draft
      draft-ietf-ipsec-pki-profile-03.txt
    draft-dploy-requirements-00.pdf (see link above)
  Certificate Handling Profiles - Paul Hoffman - 15 min
  Discussion on Docs - 20 min
       What do we have vs what more we need
  Charter Bashing - 25 min
  Next Steps - 10 min


DESCRIPTION:
IPsec has been standardized for over 5 years, and the use of
PKI X.509 certificates have been specified within the IPsec
standards for the same time. However, very few IPsec
deployments use certificates. One reason is the lack of a
certificate profile or description about how the various
elements of a PKI ought to be constructed and how the
contents ought to be populated for use with IPsec. In
addition, the handling of certificates in various IPsec use
cases requires better description. The lack of such
specifications has yielded PKI systems whose support for
IPsec applications is too obscure, complex, and often
feature incomplete. Also, support within the IPsec systems
for interaction with the PKI is often equally complex and
incomplete, leaving deployers without interoperability.
Within IPsec VPNs, the PKI supports authentication of peers
through digital signatures during security association
establishment using IKE. The PKI Lifecycle needs to be
profiled for IKE usage. The lifecycle for PKI usage within
IPsec transactions includes:


  - pre-authorization of certificate issuance,
  - enrollment process (certificate request and retrieval),
  - certificate renewals and changes,
  - revocation,
  - validation, and
  - repository lookups.


A robust certificate management scheme is needed to empower
operators in large scale deployment and management efforts.
Multiple competing and incomplete protocols for certificate
acquisition, renewal and revocation exist today. Deployers
struggle to get products that support these technologies to
work together nicely in order to accomplish their goals.
Addressing life cycle certificate management, the CMC
protocol and operational usage will be profiled in order to
define a common, single set of methods (which forces
interoperability) between PKI systems and IPsec systems. The
requirements address the entire lifecycle for PKI usage
within IPsec transactions. They enable an IPsec operator to:


  - format and use of certificates for IPsec devices
that will interoperate
  - authorize batches of certificate issuances based on
locally defined criteria
  - provision PKI-based user and/or machine identity to
IPsec peers, on large scale
  - set the corresponding gateway and/or client
authorization policy for remote access and site-to-site
connections
  - establish automatic renewal for certificates
  - ensure timely revocation information is available
and retrievable


Requirements for both the IPsec and the PKI products will be
addressed. The goal is to create a set of requirements from
which a specification document will be derived. The
requirements are carefully designed to achieve security
without compromising ease of management and deployment, even
where the deployment involves tens of thousands of IPsec
users and devices. CMC will be profiled for how to address
these requirements.


SCOPE
The solution focuses on the needs of large-scale deployments.
Gateway-to-gateway access and end-user remote access (to a
gateway) are both covered. We will describe a VPN
Administrative function and its communication with the IPsec
Peers in the IPsec System.


NON-GOALS
The specification for the communication method and
transactions between Admin and Peers is up to vendor
implementation and therefore is not included in the
pki4ipsec specification documents. Such a protocol may be
standardized at a later date to enable interoperability
between Admin stations and IPsec Peers from different
vendors, but is far beyond the scope of this current effort.


The scope is limited to requirements for easing and enabling
scalable PKI-enabled IPsec deployments. Purely PKI to PKI
issues will not be addressed. Cross-certification will not
be addressed. Long term non-repudiation will also not be
addressed.


THE WG WILL PRODUCE:
1) An informational document(s) describing and identifying
the detailed requirements for any protocol/profile in this
area, alongwith an architectural view of any such solution
that the profile or protocol addresses.


2) A standards-track document(s) describing the details of
the adopted or developed profile/protocol. Including:
  - Cert format profile
  - Cert usage profile
  - Cert request/acquisition
  - Cert lifetime management (including renewal,
revocation, validation)


READING LIST:
draft-ietf-ipsec-pki-profile-03.txt (79144 bytes)


http://www.projectdploy.com
http://www.projectdploy.com/draft-dploy-bizcase-00.pdf
http://www.projectdploy.com/draft-dploy-requirements-00.pdf


MAIL LIST:
List:   [email protected]
To Subscribe, See: http://honor.icsalabs.com/mailman/listinfo/pki4ipsec
Archive: http://honor.icsalabs.com/mailman/listinfo/pki4ipsec

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.