[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Basic IKE authentication question

To: Ramon Hontanon <hontanon@uu.net>, ipsec@tis.com
Subject: Re: Basic IKE authentication question
From: Jack Aubert <jaubert@cpcug.org>
Date: Wed, 30 Dec 1998 20:43:27 -0500
In-Reply-To: <Pine.SO4.4.02.9812301500110.22649-100000@leonid.corp.us.uu.net>
Sender: owner-ipsec@ex.tis.com

I had what amounts to the same question, and turned it into a very modest
paper for a graduate course in network security I just finished.  

The issue is,  in essence: how can you manage a very large VPN using IP
sec?  Suppose you want to set up a world-wide VPN with approximately 200
entry points into a public cloud.  This is more than theoretical.  I work
at the State Department, where it would be useful to use IP sec to set up
encrypted tunnels between more than 200 posts throughout the world.  This
works out to be a large number of bilateral relationships.  They can each
be negotiated, but some central authority still has to keep track of who
can talk to whom, even if the ky distribution is handled by IKI.  If you
have 200 posts and want to add (or modify) post 201, the existing 200 need
to know that it's OK to talk to number 201, but they have to netotiate an
encrypted tunnel and verify each other's certificates.  

The existing protocols allow use of route summarization and wild cards,
but if each tunnel point is a local ISP in a different country, this
doesn't help much since you have 200 unrelated IP addresses to deal with.
So the conclusion I drew was that most of the building blocks are
available, (including some new drafts dealing security policy specification
language) to manage a very large VPN, but a lot of manual assembly work is
still required until somebody implements a system to integrate it all.  

Jack Aubert               

At 03:08 PM 12/30/98 -0500, Ramon Hontanon wrote:
>I've read RFC2408 and RFC2409 searching for the answer to this
>(albeit basic) question, but haven't come up with an authoritative answer.
>
>What are the available options for peer authentication before an IPsec
>tunnel can be established? I suspect that they are:
>
>- Pre-shared keys (i.e. some string that both peers agree upon in advance)
>- X.509 certs from a Certificate Authority
>
>But how about:
>
>- Unverified public key exchange (like ssh)
>- Manual distribution of public keys (Cisco's IKE implementation)
>
>Thanks a lot, & happy new year to all!
>
>-- ramon
>
>
>

Follow-Ups:

Re: Basic IKE authentication question

From: Stephen Kent <kent@bbn.com>

References:

Basic IKE authentication question

From: Ramon Hontanon <hontanon@uu.net>

Prev by Date: Re: mixed mode datagrams
Next by Date: mixed mode datagrams
Prev by thread: Re: Basic IKE authentication question
Next by thread: Re: Basic IKE authentication question
Index(es):
- Main
- Thread