Profiling Use of PKI in IPSEC BOF (pki4ipsec) Thursday, November 13 at 0900-1130 ================================== CHAIRS: Gregory M. Lebovitz (gregory@netscreen.com) Trevor Freeman (trevorf@windows.microsoft.com) AGENDA: Agenda Bashing - 10 min Summary of Effort - 10 min Architecture - 15 min http://www.projectdploy.com/draft-dploy-requirements-00.pdf Discussion on Architecture - 15 min Review Current Docs - 30 min Profile Draft draft-ietf-ipsec-pki-profile-03.txt draft-dploy-requirements-00.pdf (see link above) Certificate Handling Profiles - Paul Hoffman - 15 min Discussion on Docs - 20 min What do we have vs what more we need Charter Bashing - 25 min Next Steps - 10 min DESCRIPTION: IPsec has been standardized for over 5 years, and the use of PKI X.509 certificates have been specified within the IPsec standards for the same time. However, very few IPsec deployments use certificates. One reason is the lack of a certificate profile or description about how the various elements of a PKI ought to be constructed and how the contents ought to be populated for use with IPsec. In addition, the handling of certificates in various IPsec use cases requires better description. The lack of such specifications has yielded PKI systems whose support for IPsec applications is too obscure, complex, and often feature incomplete. Also, support within the IPsec systems for interaction with the PKI is often equally complex and incomplete, leaving deployers without interoperability. Within IPsec VPNs, the PKI supports authentication of peers through digital signatures during security association establishment using IKE. The PKI Lifecycle needs to be profiled for IKE usage. The lifecycle for PKI usage within IPsec transactions includes: - pre-authorization of certificate issuance, - enrollment process (certificate request and retrieval), - certificate renewals and changes, - revocation, - validation, and - repository lookups. A robust certificate management scheme is needed to empower operators in large scale deployment and management efforts. Multiple competing and incomplete protocols for certificate acquisition, renewal and revocation exist today. Deployers struggle to get products that support these technologies to work together nicely in order to accomplish their goals. Addressing life cycle certificate management, the CMC protocol and operational usage will be profiled in order to define a common, single set of methods (which forces interoperability) between PKI systems and IPsec systems. The requirements address the entire lifecycle for PKI usage within IPsec transactions. They enable an IPsec operator to: - format and use of certificates for IPsec devices that will interoperate - authorize batches of certificate issuances based on locally defined criteria - provision PKI-based user and/or machine identity to IPsec peers, on large scale - set the corresponding gateway and/or client authorization policy for remote access and site-to-site connections - establish automatic renewal for certificates - ensure timely revocation information is available and retrievable Requirements for both the IPsec and the PKI products will be addressed. The goal is to create a set of requirements from which a specification document will be derived. The requirements are carefully designed to achieve security without compromising ease of management and deployment, even where the deployment involves tens of thousands of IPsec users and devices. CMC will be profiled for how to address these requirements. SCOPE The solution focuses on the needs of large-scale deployments. Gateway-to-gateway access and end-user remote access (to a gateway) are both covered. We will describe a VPN Administrative function and its communication with the IPsec Peers in the IPsec System. NON-GOALS The specification for the communication method and transactions between Admin and Peers is up to vendor implementation and therefore is not included in the pki4ipsec specification documents. Such a protocol may be standardized at a later date to enable interoperability between Admin stations and IPsec Peers from different vendors, but is far beyond the scope of this current effort. The scope is limited to requirements for easing and enabling scalable PKI-enabled IPsec deployments. Purely PKI to PKI issues will not be addressed. Cross-certification will not be addressed. Long term non-repudiation will also not be addressed. THE WG WILL PRODUCE: 1) An informational document(s) describing and identifying the detailed requirements for any protocol/profile in this area, alongwith an architectural view of any such solution that the profile or protocol addresses. 2) A standards-track document(s) describing the details of the adopted or developed profile/protocol. Including: - Cert format profile - Cert usage profile - Cert request/acquisition - Cert lifetime management (including renewal, revocation, validation) READING LIST: draft-ietf-ipsec-pki-profile-03.txt (79144 bytes) http://www.projectdploy.com http://www.projectdploy.com/draft-dploy-bizcase-00.pdf http://www.projectdploy.com/draft-dploy-requirements-00.pdf MAIL LIST: List: pki4ipsec@honor.icsalabs.com To Subscribe, See: http://honor.icsalabs.com/mailman/listinfo/pki4ipsec Archive: http://honor.icsalabs.com/mailman/listinfo/pki4ipsec