VPN
Click on the red underlined text to get to the source
... (PKC) lifecycle transactions between different VPN System and PKI
System products in order to better enable large scale, PKI-enabled
...
... VPN Operator to:
- Use a VPN Administration function (Admin), which is introduced in
this document, to manage PKC authorization and possibly act as
...
... PKC authorization and possibly act as
the sole interface for the VPN System and the PKI System.
...
... requirements are intended to be used to profile a certificate
management protocol that the VPN System will use to communicate with
the PKI System. Note that this profile ...
... IPsec System deployments, and do so as quickly as
possible. For example, a VPN Operator should be able to use any
conforming IPsec implementation (VPN ...
... VPN Operator should be able to use any
conforming IPsec implementation (VPN Administration or IPsec Peer) of
the certificate ...
... addresses requirements on transactions between the VPN
Systems and the PKI Systems and between the VPN ...
... VPN
Systems and the PKI Systems and between the VPN Administration and
IPsec Peers. The requirements ...
... requirements strive to meet eighty percent of the
market needs for large-scale deployments (i.e., VPNs including
hundreds or thousands of managed VPN gateways ...
... deployments (i.e., VPNs including
hundreds or thousands of managed VPN gateways or VPN remote access
...
... hundreds or thousands of managed VPN gateways or VPN remote access
clients). Environments will understandably exist in which large-
...
... excluded, but are intentionally not a focus.
Only VPN-PKI transactions that ease and enable scalable PKI-enabled
IPsec ...
...
The protocol specification for the VPN-PKI interactions will not be
addressed.
...
... vendor proprietary. These interactions may be
standardized later to enable interoperability between VPN
Administration function stations and IPsec Peers from different
vendors ...
... VPN System
The VPN System is comprised of the VPN Administration function
(defined below), the IPsec Peers ...
... VPN System
The VPN System is comprised of the VPN Administration function
(defined below), the IPsec Peers, and the communication mechanism
...
... (defined below), the IPsec Peers, and the communication mechanism
between the VPN Administration and the IPsec Peers. VPN System is
...
... between the VPN Administration and the IPsec Peers. VPN System is
defined in more detail in Section 2.1.
...
... detail in Section 2.2.
(VPN) Operator
The Operator is the person or group of people that define security
policy ...
... The Operator is the person or group of people that define security
policy and configure the VPN System to enforce that policy, with the
VPN Administration function.
...
... security
policy and configure the VPN System to enforce that policy, with the
VPN Administration function.
IPsec Peer ...
... For the purposes of this document, an IPsec Peer, or simply "Peer",
is any VPN System component that communicates IKE and IPsec to
...
... streams. See Section 2.1.1 for more details.
(VPN) Admin
The Admin is the VPN System function that interacts with the PKI
System ...
... (VPN) Admin
The Admin is the VPN System function that interacts with the PKI
System to establish PKC provisioning for the VPN connections ...
... VPN System function that interacts with the PKI
System to establish PKC provisioning for the VPN connections. See
Section 2.1.2 for more details.
...
... IPsec Peer is certainly an end entity, but the VPN Admin can also
constitute an end entity. Note that end entities ...
... PKI-supported
IPsec VPN deployment. First, an explanation of the VPN System is
presented. Second, key points about the PKI System ...
... IPsec VPN deployment. First, an explanation of the VPN System is
presented. Second, key points about the PKI System are stated.
...
... presented. Second, key points about the PKI System are stated.
Third, the VPN-PKI architecture is presented.
...
... VPN System ...
...
The VPN System consists of the IPsec Peers and the VPN Administration
function, as depicted in Figure 1.
...
... The VPN System consists of the IPsec Peers and the VPN Administration
function, as depicted in Figure 1.
+---------------------------------------------------+
...
... | |
| +----------+ |
| | VPN | |
| +---------->| Admin |<-------+ |
| | | Function | | |
...
... | +---------+ +---------+ |
| |
| VPN System |
+---------------------------------------------------+
...
... +---------------------------------------------------+
Figure 1: VPN System
...
... VPN Administration Function (Admin) ...
...
This document defines the notion of a VPN Administration function,
hereafter referred to as Admin, and gives the Admin great
responsibility within the VPN System ...
... VPN Administration function,
hereafter referred to as Admin, and gives the Admin great
responsibility within the VPN System. The Admin is a centralized
function used by the Operator to interact with the PKI System to
...
... It is important to note that, within this document, the Admin is
neither a device nor a person; rather, it is a function. Every
large-scale VPN deployment will contain the Admin function. The
function can be performed on a stand-alone workstation, on a gateway,
...
... CP)
[FRAME] for use in a VPN System. The PKC's characteristics and
contents are a function of the CP ...
... PKC's characteristics and
contents are a function of the CP. In VPN Systems, the Operator
chooses to strengthen the VPN by using PKI ...
... CP. In VPN Systems, the Operator
chooses to strengthen the VPN by using PKI; PKI is a bolt-on to
...
... PKI; PKI is a bolt-on to
the VPN System. The Operator will configure local security
policy in part through the Admin and its authorized PKI-enabled
...
... to the pre-agreed template). Templates will be agreed in an
out-of-band mechanism by the VPN Operator and the PKI Operator.
It will receive back from the PKI ...
... (managed PKI service), or be integrated with the VPN product.
+---------------------------------------------+
...
... VPN-PKI Interaction ...
...
The interaction between the VPN System and the PKI System is the key
focus of this requirements ...
... | | v | |
| | +----------+ | |
| | [G][E][L][R]| VPN |[G][E][L][R] | |
| | +---------->| Admin |<----------+ | |
| | | | Function | | | |
...
... | +---------+ +---------+ |
| |
| VPN System |
+----------------------------------------------------+
...
... profile MUST specify the [A], [E],
[L], and [R] transactions between VPN and PKI Systems. To support
these transactions ...
... document assume on-line availability of the Admin for the life of the
VPN System.
...
... A PKC used for identity in VPN-PKI transactions MUST include all the
[CERTPROFILE] mandatory fields. It MUST also contain contents
...
...
The authorization scenario for VPN-PKI transactions involves a two-
step process: an authorization request and an authorization ...
... PKCs or batches of PKC issuances
based on a pre-agreed template. This template is agreed by the VPN
Operator and PKI Operator and is referred to in each authorization ...
... request. This allows the authorization requests to include the
minimal amount of information necessary to support a VPN System.
The Admin can send the PKI System ...
...
When the VPN Operator and PKI Operator pre-agree on a template, they
MUST also agree on the local policy regarding PKC renewal ...
... Admin function pre-authorize PKCs, but Operator 2 is the one doing
batch enrollments and VPN device configurations.
...
... +--------------------+ +--------+
Figure 9. VPN-PKI Interaction Steps:
IPsec Peer Generates Keys and PKC Request ...
... +--------------------+ +--------+
Figure 10. VPN-PKI Interaction Steps:
IPsec Peer Generates Keys and PKC Request ...
... +--------------------+ +--------+
Figure 11. VPN-PKI Interaction Steps:
IPsec Peer Generates Keys, Admin Constructs and
...
... +--------------------+ +--------+
Figure 12. VPN-PKI Interaction Steps:
Admin Generates Keys and PKC Request, and Enrolls Directly
...
... +--------------------+ +--------+
Figure 13. VPN-PKI Interaction Steps:
PKI Generates Keys, PKC Request ...
...
Admins manage rekeys to ensure uninterrupted use of the VPN by Peers
with new keys. Rekeys can occur automatically if the Admin is
configured to initiate a new authorization ...
...
Admins manage renewals to ensure uninterrupted use of the VPN by
Peers with the same key pair.
...
... end
entity and must specify the new contents. Admin then initiates the
update request with the given contents in whichever mechanism the VPN
System employs (direct from end entity to PKI, from end entity ...
... verification based on the fields
of the PKC and parameters applicable to the VPN Security Association.
The fields of the PKC ...
... mechanism for authorization that provides more immediate access
deactivation should be layered into the VPN deployment. Such a
second mechanism is out of the scope of this profile. (Examples are
...
... Project Dploy. The principle editor of that document was Gregory M.
Lebovitz (NetScreen/Juniper). Contributing authors included
Lebovitz, Paul Hoffman (VPN Consortium), Hank Mauldin (Cisco
Systems), and Jussi Kukkonen (SSH Communications Security ...