[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Basic IKE authentication question

To: Jack Aubert <jaubert@cpcug.org>
Subject: Re: Basic IKE authentication question
From: Stephen Kent <kent@bbn.com>
Date: Thu, 31 Dec 1998 14:22:45 -0500
Cc: Ramon Hontanon <hontanon@uu.net>, ipsec@tis.com
In-Reply-To: <3.0.5.32.19981230204327.00b6cc80@cpcug.org>
References: <Pine.SO4.4.02.9812301500110.22649-100000@leonid.corp.us.uu.net>
Sender: owner-ipsec@ex.tis.com

Jack,
aper for a graduate course in network security I just finished.
>
>The issue is,  in essence: how can you manage a very large VPN using IP
>sec?  Suppose you want to set up a world-wide VPN with approximately 200
>entry points into a public cloud.  This is more than theoretical.  I work
>at the State Department, where it would be useful to use IP sec to set up
>encrypted tunnels between more than 200 posts throughout the world.  This
>works out to be a large number of bilateral relationships.  They can each
>be negotiated, but some central authority still has to keep track of who
>can talk to whom, even if the ky distribution is handled by IKI.  If you
>have 200 posts and want to add (or modify) post 201, the existing 200 need
>to know that it's OK to talk to number 201, but they have to netotiate an
>encrypted tunnel and verify each other's certificates.

I trhink there is some confusion between authentication and authorization
here. In your example, each of the sites has an SPD which determines with
whom it is willing to communicate.  The addition of the 201st site does not
necessarily affect all 200 other sites.  It is of interest only to those
who wish to communicate with it, and vice versa.  Use of a central
authority, e.g., a CA, to issue authentication credentials to all sites
provides a reliable basis for making the access control decision, but that
decision is enforced locally, at each site's IPsec implementation(s).  if
one wants to centralize the authorization function, that too may be done,
but the IPsec architecture makes no explicit provision for this.  One could
imagine centrally managing SPDs for each site and distributing them
securely, but that is beyond the scope of the current requirements.

>The existing protocols allow use of route summarization and wild cards,
>but if each tunnel point is a local ISP in a different country, this
>doesn't help much since you have 200 unrelated IP addresses to deal with.
>So the conclusion I drew was that most of the building blocks are
>available, (including some new drafts dealing security policy specification
>language) to manage a very large VPN, but a lot of manual assembly work is
>still required until somebody implements a system to integrate it all.

Route summarization?  Where do you see that in IPsec?  The use of wild
cards in the SPD is for access control purposes, not for route management.
Also, the fact that different ISPs in different countries provide services
does not seem directly relevant here.  In any use of IPsec in tunnel mode,
there is a requirement to determine the address of the security gateway(s)
that serve the client systems.  This problem is not addressed in an
automated fashion in the current architecture, because we wanted to issue
the specs and address these problems later, but it is identified as a topic
for further study.  It seem to grow lineraly in complexity with the number
of security gateways, irrespective of whether they connect to the same ISP,
or different ones.

Steve

References:

Basic IKE authentication question

From: Ramon Hontanon <hontanon@uu.net>

Re: Basic IKE authentication question

From: Jack Aubert <jaubert@cpcug.org>

Prev by Date: mixed mode datagrams
Next by Date: Re: mixed mode datagrams
Prev by thread: Re: Basic IKE authentication question
Next by thread: Re: Basic IKE authentication question
Index(es):
- Main
- Thread