Re: US Air Force IPSEC Requirements

[Robert Moskowitz <rgm3@chrysler.com>]

At 05:03 PM 11/25/97 -0600, Boyter, Brian A. wrote:
>First, I would like to introduce myself...

Hello Brian, glad to see you go 'public'  :)

>The USAF recently completed a hasty evaluation of several
>IPSEC products...   Most products would work fine for a
>small organization, but do not scale to an enterprise the size
>of the USAF (500,000 computers)...

This is definitely on my agenda also.

>1. 	The Department of Defense will soon deploy a Public
>Key Infrastructure (PKI)...   The IPSEC products need to
>use this existing PKI (not require a separate keying product)...

I do not understand this one.  Granted there is no interoperability in CA
products yet, so IPsec vendors have to pick and choose their product
interop based on market demand.  I am testing with cross-certified CAs.
This is more of a PKIXs issue than an IPsec issue.

BTW, our PKIs will have to cross-ceritify and we will have to work out the
trust model (many of my suppliers are your suppliers...).

>2. 	The USAF uses HP OpenView as its standard SNMP
>management product...   Error logging and other IPSEC status
>information needs to interoperate with OpenView...

There is growing discussion on MIBs for firewalls, security tunnels and
other thingees.  This will be discussed at DC to decide what direction to
take.

>3. 	The USAF needs to be able to manage the IPSEC security
>policy sanely...   An example of a USAF IPSEC security policy
>might be:  "all USAF computers can talk to all other USAF
>computers using DES, all other computers it talks in-the-clear"...
>It will not be possible to manage 500,000 different rule sets...
>The security policy must be made simple...    We need the X.500 
>equivalent
>of *.mil,  *.af.mil,  *.lackland.af.mil,  and *.hospital.*.af.mil so 
>that
>we can generate rule sets using these wild cards...   I don't think
>rules based on IP addresses will work either...

This should be easy for those products that allow for trust rules based on
certificate content.  For me it might be *.anx.*  ;)

>I'm not including interoperability in the above list because the ANX
>has done a good job of making that requirement visible....

thank you.  More to do...

>But if each IPSEC 
>product
>requires a management console at each air force base, then that can
>add up to millions of dollars, thousands of man hours, training costs, 
>etc...

But you will need a secure protocol for the management.  SNMP does not seem
to fit that target.  Perhaps SNMP in an IPsec tunnel :)

>2. I'm also trying to point out that there is no standard (that I can 
>find) for
>representing, storing, or disseminating the security policy....

Do we have a model for security policy, or rather models?

One idea I am playing with is to right the security policy in PolicyMaker
and put it in a certificate from the policy server....

>Although these are Air Force requirements, I'm sure the same
>requirements will exist for any large enterprise contemplating the 
>use
>of IPSEC products...

I hear these things over and over again.

>I plan to be at the IETF meeting in December and will be glad to
>speak to anyone about these issues...    Perhaps an IPSEC security
>policy BOF could even be arranged???

More likely night get togethers.  But policy is one of the items on for
discussion for IPsecond at the workgroup session.

BTW>>>>>>

I have been in discussion with NCSA on developing a rigorous certification
program for IPsec products.  More on this soon.....



Robert Moskowitz
Chrysler Corporation
(810) 758-8212

---

References:

• US Air Force IPSEC Requirements
• From: "Boyter, Brian A." <boyter@afiwc01.af.mil>

---

• Prev by Date: I-D ACTION:draft-ietf-ipsec-esp-v2-02.txt
• Next by Date: Info on ANX interoperability workshops
• Prev by thread: US Air Force IPSEC Requirements
• Next by thread: Re: US Air Force IPSEC Requirements
• Index(es):
  • Main
  • Thread