Presentation is loading. Please wait.

Presentation is loading. Please wait.

11/10/2003Pki4ipsec-nov03-agenda BOF Profiling Use of PKI in IPsec pki4ipsec Chairs: Gregory M Lebovitz Steve.

Published byNigel Boone Modified over 9 years ago

Similar presentations

Presentation on theme: "11/10/2003Pki4ipsec-nov03-agenda BOF Profiling Use of PKI in IPsec pki4ipsec Chairs: Gregory M Lebovitz Steve."— Presentation transcript:

1 11/10/2003Pki4ipsec-nov03-agenda BOF Profiling Use of PKI in IPsec pki4ipsec Chairs: Gregory M Lebovitz (gregory@netscreen.com)gregory@netscreen.com Steve Hanna (steve.hanna@sun.com)

2 11/10/2003Pki4ipsec-nov03-agenda Agenda Agenda Bashing - 5 min Summary of Effort - 5 min Needs Assessment, Steve Hanna – 5 min, Architecture - 15 min Review Existing Docs/Text - 45 min Charter Bashing - 45 min Next Steps - 10 min

3 11/10/2003Pki4ipsec-nov03-agenda Architecture Presentation http://www.projectdploy.com/draft-dploy- requirements-00.pdf Review and discussion

4 11/10/2003Pki4ipsec-nov03-agenda Current Profile Text/Thought draft-ietf-ipsec-pki-profile-03.txt – Korver Dploy draft – Gregory Lebovitz http://www.projectdploy.com/draft-dploy- requirements-00.pdf Certificate Handling Profiles – P. Hoffman http://www.vpnc.org/ipsec-pki-profile.pdf Clarifying questions on Current Text

5 11/10/2003Pki4ipsec-nov03-agenda Scope IPsec Scenarios: s2s VPN and Secure Remote Access VPN CMC as the certificate lifecycle management protocol

6 11/10/2003Pki4ipsec-nov03-agenda Proposed Charter Items 1.Requirement Document 2.Profile Documents 1.Certificate Format & Contents 2.Certificate Usage and IPsec Payloads (IKEv1, IKEv2) 3.Certificate Request/Retrieval by IPsec Peer 4.Certificate Lifecycle Management (renewal, revocation, validation 3.Implementation and Interoperability report

7 11/10/2003Pki4ipsec-nov03-agenda Timeline 1 year

8 11/10/2003Pki4ipsec-nov03-agenda Next Steps

9 11/10/2003Pki4ipsec-nov03-agenda BACKUP SLIDES FOLLOW

10 11/10/2003Pki4ipsec-nov03-agenda Open Issues 1.IKEv1 and IKEv2? in one doc or two docs? 2.V1 - Need a way to determine which of potentially many certs is end entity cert. Could send EECert as first one? 3.V1 Should ID_ipv4/v6_addr, ID_FQDN, ID_USER_FQDN all be MUSTs? Right now only _ADDR is MUST. Is that enough for broad interop?

11 11/10/2003Pki4ipsec-nov03-agenda Need ID for… 1.How to find EE cert 2.To lookup policy for IKE 3.Authentication – understand who the sender claims to be, and use to verify they are who says they are 4.Authorization - To determine IPsec Access Control and treatment 5.Logging / Auditing – something meaningful to the network/device operations teams Anything else missing?

12 11/10/2003Pki4ipsec-nov03-agenda Places to Find ID Elements IKE ID Payload Cert – SubjectAltName types Cert – DN fields/types –Any one, or combo

13 11/10/2003Pki4ipsec-nov03-agenda IKEv1 Checking Options 1.Fill in IKE ID payload /w something in Cert SubjectAltName and check that the two match 2.Just present Cert, and let receiving peer’s local policy determine what they extract and use as ID 3.Fill in ID w/ something to match IKE SPD entry on receiving peer, then use some SubjectAltName field (as defined by local policy) to do ACL lookup and IPsec SA setup

14 11/10/2003Pki4ipsec-nov03-agenda IKEv1 and IKEv2 IKEv1 – we will spend most of our time profiling for IKEv1. We will prioritize this. IKEv2

15 11/10/2003Pki4ipsec-nov03-agenda Revocation Philosophy question: –Do we profile use of PKI for authorization

16 11/10/2003Pki4ipsec-nov03-agenda Contentious Issues to Decide Issue Revocation Method and Impact on Cert contents and IKE payloads Identity and its correlation to Authentication and Authorization Do Request and Retrieval Impact the format and payloads document? Or orthogonal.

Download ppt "11/10/2003Pki4ipsec-nov03-agenda BOF Profiling Use of PKI in IPsec pki4ipsec Chairs: Gregory M Lebovitz Steve."

Similar presentations

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Electronic Submission of Medical Documentation (esMD) Face to Face Informational Session esMD Requirements, Priorities and Potential Workgroups – 2:00pm.

Electronic Submission of Medical Documentation (esMD) Face to Face Informational Session esMD Requirements, Priorities and Potential Workgroups – 2:00pm.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Header and Payload Formats

Header and Payload Formats
Session Announcement Protocol Colin Perkins University College London.

Session Announcement Protocol Colin Perkins University College London.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-kivinen-mobike-design-00.txt Tero Kivinen

© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-kivinen-mobike-design-00.txt Tero Kivinen
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.

PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
Status report for draft-ietf-ipsec-pki-profile Paul Hoffman, Director VPN Consortium for Brian Korver

Status report for draft-ietf-ipsec-pki-profile Paul Hoffman, Director VPN Consortium for Brian Korver
2/29/2004Profile-04 open issues draft-ietf-ipsec-pki-profile-04.txt (Potentially) Open Issues Gregory M Lebovitz

2/29/2004Profile-04 open issues draft-ietf-ipsec-pki-profile-04.txt (Potentially) Open Issues Gregory M Lebovitz
November 9 1999IPsec Remote Access BOF Washington D.C. November 9 1999.

November IPsec Remote Access BOF Washington D.C. November
Obstacles to PKI Deployment and Usage – Conclusions Relevant to pki4ipsec Steve Hanna, Co-chair, OASIS PKI TC.

Obstacles to PKI Deployment and Usage – Conclusions Relevant to pki4ipsec Steve Hanna, Co-chair, OASIS PKI TC.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
ERP for IKEv2 draft-nir-ipsecme-erx-01. Why ERP for IKEv2? RFC 5296 and the bis document define a quick re- authentication protocol for EAP. ERP requires.

ERP for IKEv2 draft-nir-ipsecme-erx-01. Why ERP for IKEv2? RFC 5296 and the bis document define a quick re- authentication protocol for EAP. ERP requires.
The Internet IP Security PKI Profile of ISAKMP and PKIX draft-ietf-ipsec-pki-profile-03.txt Brian Korver Eric Rescorla.

The Internet IP Security PKI Profile of ISAKMP and PKIX draft-ietf-ipsec-pki-profile-03.txt Brian Korver Eric Rescorla.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Visual Signature Profile OASIS - DSS-X. Agenda General Requirements – Digital Signature operation Visual Signature content Verification Operation.

Visual Signature Profile OASIS - DSS-X. Agenda General Requirements – Digital Signature operation Visual Signature content Verification Operation.
March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.

March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.

Similar presentations

Ads by Google