RFC 4809:Requirements for an IPsec Certificate Man...
RFC-Ref

A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - X

IPsec

Click on the red underlined text to get to the source

1. Introduction
... PKI System products in order to better enable large scale, PKI-enabled IPsec deployments with a common set of transactions. Requirements ...
... transactions. Requirements for both the IPsec and the PKI products are discussed. The requirements ...
... deployment, even where the deployment involves tens of thousands of IPsec users and devices. The requirements ...
... - Provision PKI-based user or machine identity to IPsec Peers, on a large scale. ...
... PKIX (PKI for X.509 Certificates) and IPsec standards to limit the complexity of deployment. Some requirements ...
... requirements and profile documents is that both IPsec and PKI vendors create ...
... vendors create interoperable products to enable large-scale IPsec System deployments, and do so as quickly as possible. For example, a VPN ...
... possible. For example, a VPN Operator should be able to use any conforming IPsec implementation (VPN Administration or IPsec Peer) of ...
... conforming IPsec implementation (VPN Administration or IPsec Peer) of the certificate management ...
... PKI Systems and between the VPN Administration and IPsec Peers. The requirements strive to meet eighty percent of the market needs for large-scale deployments ...
... VPN-PKI transactions that ease and enable scalable PKI-enabled IPsec deployments are addressed. ...
... standardized later to enable interoperability between VPN Administration function stations and IPsec Peers from different vendors, but are far beyond the scope of this current effort, and ...
... VPN System is comprised of the VPN Administration function (defined below), the IPsec Peers, and the communication mechanism between the VPN Administration and the IPsec Peers ...
... IPsec Peers, and the communication mechanism between the VPN Administration and the IPsec Peers. VPN System is defined in more detail in Section 2.1. ...
... VPN Administration function. IPsec Peer (Gateway or Client) ...
... Gateway or Client) For the purposes of this document, an IPsec Peer, or simply "Peer", is any VPN System component that communicates IKE ...
... is any VPN System component that communicates IKE and IPsec to another Peer in order to create an IPsec Security Association ...
... IPsec to another Peer in order to create an IPsec Security Association for communications. It can be either a traditional security gateway ...
... network and one for the unprotected network) or an IPsec client (with a single network interface ...
... network interface). In both cases, the Peer can pass traffic with no IPsec protection, and can add IPsec protection to chosen traffic ...
... traffic with no IPsec protection, and can add IPsec protection to chosen traffic streams. See Section 2.1.1 for more details. ...
... associated with a PKC to digitally sign data. In this document, an IPsec Peer is certainly an end entity, but the VPN Admin can also ...


2. Architecture
... architecture for a PKI-supported IPsec VPN deployment. First, an explanation of the VPN System is ...
... The VPN System consists of the IPsec Peers and the VPN Administration function, as depicted in Figure 1. ...
... | v v | | +---------+ +---------+ | | | IPsec | | IPsec | | | | Peer 1 |<=======================>| Peer 2 | | ...
... | +---------+ +---------+ | | | IPsec | | IPsec | | | | Peer 1 |<=======================>| Peer 2 | | | +---------+ +---------+ | ...
... IPsec Peer(s) ...
... The Peers are two entities between which establishment of an IPsec Security Association is required. Two Peers are shown in Figure 1, but implementations can support an actual number in the hundreds or thousands. The Peers can be gateway ...
... options, and PKC fields) for groups of IPsec Peers. The Admin also authorizes PKC ...
... such, the Admin's architecture and the means by which it interacts with the participating IPsec Peers will vary widely from implementation to implementation. However, some basic functions of the Admin are assumed. ...
... PKC. - It will deliver instructions to the IPsec Peers, and the Peers will carry out those instructions (e.g., Admin passes Peer information necessary to generate keys and PKC request ...
... PKCs from a single PKI community. An IPsec Peer can accept a PKC from a Peer that is from a CA ...
... | v v v v | | +---------+ +---------+ | | | IPsec | [I] | IPsec | | | | Peer 1 |<========================>| Peer 2 | | ...
... | +---------+ +---------+ | | | IPsec | [I] | IPsec | | | | Peer 1 |<========================>| Peer 2 | | | +---------+ +---------+ | ...
... PKC response [I] = IKE and IPsec communication [L] = Lifecycle: Rekey, renewal, update ...


3. Requirements
... off-line". It can, in some environments, be "moving media" (i.e., the configuration or data is loaded on to a floppy disk or other media and physically moved to the IPsec Peers). Likewise, it can be entered directly on the IPsec Peer via a User Interface ...
... floppy disk or other media and physically moved to the IPsec Peers). Likewise, it can be entered directly on the IPsec Peer via a User Interface (UI). In this case, the Admin function is co-located ...
... It is preferable that the PKC profiles for IPsec transactions [IKECERTPROFILE ...
... +--------------------+ +--------+ | IPsec | | IPsec | | Peer 1 | | Peer 2 | ...
... +--------------------+ +--------+ | IPsec | | IPsec | | Peer 1 | | Peer 2 | +--------------------+ +--------+ ...
... wants the PKI to issue to a group of IPsec Peers. In other words, it tells the PKI System, "if you see a PKC request ...
... Requirements for PKC fields used in IPsec transactions are specified in [IKECERTPROFILE ...
... interoperability efforts between the PKI and IPsec products. ...
... key pairs. The key generations can occur at one of three places, depending on local requirements: at the IPsec Peer, at the Admin, or at the PKI. The PKC request ...
... at the PKI. The PKC request can come from either the IPsec Peer, a combination of the Peer and the Admin, or not at all. ...
... Generation Method 1: IPsec Peer Generates Key Pair, Constructs ...
... V +--------------------+ +--------+ 2 | IPsec | | IPsec | | Peer 1 | | Peer 2 | ...
... +--------------------+ +--------+ 2 | IPsec | | IPsec | | Peer 1 | | Peer 2 | +--------------------+ +--------+ ...
... Figure 5. Generation Interactions: IPsec Peer Generates Key Pair and Constructs PKC Request ...
... Generation Method 2: IPsec Peer Generates Key Pair, Admin ...
... This option also supports IPsec Peer generation of a key pair, but removes ...
... V +--------------------+ +--------+ 2 | IPsec | | IPsec | | Peer 1 | | Peer 2 | ...
... +--------------------+ +--------+ 2 | IPsec | | IPsec | | Peer 1 | | Peer 2 | +--------------------+ +--------+ ...
... Figure 6. Generation Interactions: IPsec Peer Generates Key Pair, Admin Constructs PKC Request ...
... requirements, where the same PKCs are used for other functions in addition to IPsec, and key recovery is required (e.g., local data encryption), therefore key escrow is needed from the Peer. If key ...
... +--------------------+ +--------+ | IPsec | | IPsec | | Peer 1 | | Peer 2 | ...
... +--------------------+ +--------+ | IPsec | | IPsec | | Peer 1 | | Peer 2 | +--------------------+ +--------+ ...
... +--------------------+ +--------+ | IPsec | | IPsec | | Peer 1 | | Peer 2 | ...
... +--------------------+ +--------+ | IPsec | | IPsec | | Peer 1 | | Peer 2 | +--------------------+ +--------+ ...
... Figure 8. Generation Interactions: IPsec Peer Generates Key Pair, Admin Constructs PKC Request ...
... greatly aid interoperability efforts between the PKI and IPsec products. ...
... In this case, the IPsec Peer only communicates with the PKI after being commanded to do so by the Admin. This enrollment mode is ...
... (Section 3.3.1) steps are not shown. Most IPsec Systems have enough CPU power to generate a public and private key pair ...
... CPU power to generate a public and private key pair of sufficient strength for secure IPsec. In this case, the end entity needs to prove to the PKI ...
... v +--------------------+ +--------+ | IPsec | | IPsec | | Peer 1 | | Peer 2 | ...
... +--------------------+ +--------+ | IPsec | | IPsec | | Peer 1 | | Peer 2 | +--------------------+ +--------+ ...
... Figure 9. VPN-PKI Interaction Steps: IPsec Peer Generates Keys and PKC Request, Enrolls Directly with PKI ...
... PKI 1) Enrollment Request [E]. The IPsec Peer sends PKC requests to the PKI ...
... In this case, the IPsec Peer has generated the key pair and the PKC request, but does not enroll directly to the PKI System ...
... the Admin receives the PKC response, it automatically forwards it to the IPsec Peer. Most IPsec Systems ...
... IPsec Peer. Most IPsec Systems have enough CPU power to generate a public and private key pair ...
... CPU power to generate a public and private key pair of sufficient strength for secure IPsec. In this case, the end entity needs to prove to the Admin that it has such a ...
... 4,8 v +--------------------+ +--------+ | IPsec | | IPsec | | Peer 1 | | Peer 2 | ...
... +--------------------+ +--------+ | IPsec | | IPsec | | Peer 1 | | Peer 2 | +--------------------+ +--------+ ...
... Figure 10. VPN-PKI Interaction Steps: IPsec Peer Generates Keys and PKC Request, Enrolls Through Admin ...
... 1) Opaque Transaction [E]. The IPsec Peer requests a PKC from the Admin, providing the generated public key ...
... Opaque Transaction [E]. The Admin forwards the enrollment response back to the IPsec Peer. 5) Opaque ...
... In this case, the IPsec Peer has generated the key pair, but the PKC request is constructed and signed by the Admin. The PKI System ...
... enrollment. Once the Admin retrieves the PKC, it then automatically forwards it to the IPsec Peer along with the key pair. ...
... key pair. Some IPsec Systems do not have enough CPU power to generate a public and private key pair ...
... CPU power to generate a public and private key pair of sufficient strength for secure IPsec. In this case, the Admin needs to prove to the PKI that it has such a key pair ...
... private key will eventually be sent over the wire (though hopefully securely so) from Admin to the IPsec Peer; whenever possible, it is preferred to keep a key within its cryptographic boundary of origin. Failing to ...
... 3,7 v +--------------------+ +--------+ | IPsec | | IPsec | | Peer 1 | | Peer 2 | ...
... +--------------------+ +--------+ | IPsec | | IPsec | | Peer 1 | | Peer 2 | +--------------------+ +--------+ ...
... Figure 11. VPN-PKI Interaction Steps: IPsec Peer Generates Keys, Admin Constructs and Signs PKC Request, Enrolls through Admin ...
... Opaque Transaction [E]. The Admin forwards the enrollment response back to the IPsec Peer. 4) Opaque ...
... the Admin retrieves the PKC, it then automatically forwards it to the IPsec Peer along with the key pair. ...
... key pair. Some IPsec Systems do not have enough CPU power to generate a public and private key pair ...
... CPU power to generate a public and private key pair of sufficient strength for secure IPsec. In this case, the Admin needs to prove to the PKI that it has such a key pair ...
... private key will eventually be sent over the wire (though hopefully securely so) from Admin to the IPsec Peer; whenever possible, it is preferred to keep a key within its cryptographic boundary of origin. Failing to ...
... 3,7 v +--------------------+ +--------+ | IPsec | | IPsec | | Peer 1 | | Peer 2 | ...
... +--------------------+ +--------+ | IPsec | | IPsec | | Peer 1 | | Peer 2 | +--------------------+ +--------+ ...
... Opaque Transaction [E]. The Admin forwards the enrollment response back to the IPsec Peer, along with the keys. 4) Opaque ...
... authorization request. The PKI returns to the IPsec Peer through the Admin, the final product of a key pair and PKC ...
... private key will eventually be sent over the wire (though hopefully securely so) from Admin to the IPsec Peer; whenever possible, it is preferred to keep a key within its cryptographic boundary of origin. Failing to do so opens the ...
... 2,6 v +--------------------+ +--------+ | IPsec | | IPsec | | Peer 1 | | Peer 2 | ...
... +--------------------+ +--------+ | IPsec | | IPsec | | Peer 1 | | Peer 2 | +--------------------+ +--------+ ...
... Opaque Transaction [E]. The Admin forwards the enrollment response back to the IPsec Peer, along with the keys. 3) Opaque ...
... interoperability efforts between the PKI and IPsec products. The profile ...
... interoperability efforts between the PKI and IPsec products. ...
... PKCs MAY have extendedKeyusage to help identify the proper PKC for IPsec, though the default behavior is to not use them (see 3.1.5.3). IPsec Peers ...
... IPsec, though the default behavior is to not use them (see 3.1.5.3). IPsec Peers MUST be able to resolve Internet domain names and support ...
... lookups. IPsec Peers should cache PKCs to reduce latency ...
... interoperability efforts between the PKI and IPsec products. ...
... The IPsec Peer MUST perform identity verification based on the fields ...
... CA key roll-over. IPsec Systems have an OPTION to turn off revocation checking. Such may be desired when the two Peers are communicating over a network ...
... interoperability efforts between the PKI and IPsec products. ...

A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - X

Google
Web
RFC-Ref
RFC-Ref.org
Frontpage
Global Index
RFC
Sister Sites
Chess-Ref.org
Law-Ref.org
InChI.info
Zvon.org