IPsec Remote Access Requirements Scott Kelly IPsec Remote Access Working Group 47th IETF

Current Draft Terminology IRAC - IPsec Remote Access Client IRAS - IPsec Remote Access Server SGW - Security GateWay VIP - Virtual IP address

Requirements Classes Endpoint Authentication Remote Host Device Configuration Security Policy Configuration Mobility

Endpoint Authentication Machine Authentication User Authentication Combination Machine/User Authentication Legacy Compatibility

Remote Host Device Configuration IP address(es)subnet mask(s)broadcast addr(s) host name(s)domain name(s)static route(s) MTUdefault TTLrouter(s) arp cache timeoutip forwarding en/disable nis options source routing options router discovery options servers (smtp, pop, dns/nis, wins, etc) netbios optionsxwindows optionsother options

Security Policy Configuration Remote Client (IRAC) –unrestricted vs restricted internet access while accessing corporate network –permit/deny access to other corporate hosts Server (IRAS/SGW) –dynamic update of policies based on client identity vs. static address-based policies

Mobility Issues Client –IP address may change during session due to DHCP lease expiration Server –Not clear if there are issues here or not

Scenarios Overview dialup/dsl/cablemodem telecommuters extranet users calling home from another corporate net road warriors using arbitrary ISP dialup account roaming wireless users (?) borrowers (airport kiosk) local corp to extranet partner (?) remote user to remote user (?)

Common Requirements User-level authentication usually required for IRAC; user/machine auth sometimes useful Machine authentication for always required for IRAS Device configuration for IRAC almost always useful Some sort of dynamic policy configuration for IRAC is required Dynamic policy configuration for IRAS may be required