IKE
Click on the red underlined text to get to the source
... IPsec Peer, or simply "Peer",
is any VPN System component that communicates IKE and IPsec to
another Peer in order to create ...
... verify that a PKC being presented to them as the identity in an IKE
transaction has not been revoked.
...
... gateway, or a mix of both. The Peers authenticate themselves in
the IKE negotiation using digital signatures generated with PKCs ...
... Extended Key Usage (EKU) indications are not required. The presence
or lack of an EKU MUST NOT cause an implementation to fail an IKE
connection.
...
... that it has received the PKC, loaded it, and can use it effectively
in an IKE exchange. This requirement exists so that:
...
... signaling to the Peer that it may proceed using
this PKC in IKE connections. The PKI MUST complete all the
...
... end entity will be valid. This will allow the Peer to
continue with uninterrupted IKE connections with the previous PKC
...
... URLs, as such referral lookups will increase the time to complete
the IKE negotiation, and can cause implementations to timeout.
...
... information to accomplish these searches MUST be adequately
communicated in the PKCs sent during the IKE transaction.
...
... The use case for accomplishing lookups when PKCs are not sent in IKE
is a stated non-goal of the profile ...
... revocation status of PKCs that are presented to it for IKE identity.
The mechanism should allow for access to extremely fresh revocation ...
...
All PKCs used in IKE MUST have cRLDistributionPoint and
authorityInfoAccess fields populated with valid URLs ...
... Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409(-> 4306prop), November 1998. ...