[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Basic IKE authentication question




>From owner-ipsec@portal.ex.tis.com Wed Dec 30 22:53:33 1998
>Date: Wed, 30 Dec 1998 20:43:27 -0500
>From: Jack Aubert <jaubert@cpcug.org>
>Subject: Re: Basic IKE authentication question
>X-Sender: jaubert@cpcug.org (Unverified)
>To: Ramon Hontanon <hontanon@uu.net>, ipsec@tis.com
>MIME-version: 1.0
>
>I had what amounts to the same question, and turned it into a very modest
>paper for a graduate course in network security I just finished.  
>
>The issue is,  in essence: how can you manage a very large VPN using IP
>sec?  Suppose you want to set up a world-wide VPN with approximately 200
>entry points into a public cloud.  This is more than theoretical.  I work
>at the State Department, where it would be useful to use IP sec to set up
>encrypted tunnels between more than 200 posts throughout the world.  This
>works out to be a large number of bilateral relationships.  They can each
>be negotiated, but some central authority still has to keep track of who
>can talk to whom, even if the ky distribution is handled by IKI.  If you
>have 200 posts and want to add (or modify) post 201, the existing 200 need
>to know that it's OK to talk to number 201, but they have to netotiate an
>encrypted tunnel and verify each other's certificates.  
>
>The existing protocols allow use of route summarization and wild cards,
>but if each tunnel point is a local ISP in a different country, this
>doesn't help much since you have 200 unrelated IP addresses to deal with.
>So the conclusion I drew was that most of the building blocks are
>available, (including some new drafts dealing security policy specification
>language) to manage a very large VPN, but a lot of manual assembly work is
>still required until somebody implements a system to integrate it all.  
>
>Jack Aubert               

Your last statement has answered your question.  IPsec is the car engine,
and someones still have to put together the rest of the car and pave the
road.  However, it'll be obsurd to ask this group to together the rest.

John


>At 03:08 PM 12/30/98 -0500, Ramon Hontanon wrote:
>>I've read RFC2408 and RFC2409 searching for the answer to this
>>(albeit basic) question, but haven't come up with an authoritative answer.
>>
>>What are the available options for peer authentication before an IPsec
>>tunnel can be established? I suspect that they are:
>>
>>- Pre-shared keys (i.e. some string that both peers agree upon in advance)
>>- X.509 certs from a Certificate Authority
>>
>>But how about:
>>
>>- Unverified public key exchange (like ssh)
>>- Manual distribution of public keys (Cisco's IKE implementation)
>>
>>Thanks a lot, & happy new year to all!
>>
>>-- ramon
>>
>>
>>
>