[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPSec Working Group for VPNs

To: tjenkins@catena.com, john.shriver@intel.com, ipsec@lists.tislabs.com
Subject: IPSec Working Group for VPNs
From: "Paul J Wanish" <wanish@us.ibm.com>
Date: Sat, 24 Mar 2001 20:14:32 -0500
Sender: owner-ipsec@lists.tislabs.com

I have been working on a project that requires a very scalable B-2-B
solution and VPNs will plays a very large part. I think that the
requirements you specified in your Nov.16, 2000 Roadmap and supporting IKE
Monitoring MIB Memo of 7Feb2001 include this,  but I'm not sure. So, let me
explain my problem and (hopefully) get some feedback.
PROBLEM STATEMENT: Strong separation of authentication of a single client
credential between multiple organization to isolate the roles that the
authenticated user may fulfill.
SOLUTION STATEMENT: Clients shall retain a person Client Certificate. This
certificate shall not be owned by an employee, but rather the personal
property of the individual. The company will retain it's own identity, and
not be compromised by the entire employee base. The company identity shall
be retained in gateway boxes that will typically support IPSec VPN
connections to another company. Therefore, any application can use the
tuple of (user-identity, company identity) to map roles that can be
fulfilled by the particular request.
The actual deployment of this would normally involve an SSL (or SOAP)
transport, when the initial authentication would result in a credential
being established for the user. This credential might be kept in a cookie
or encoded-URL for subsequent  web request.  To this point, the IPSec is
not really involved.

RFC adjustment:

The IPSec VPN negotiation will enable the ability of an application to
associate an Endpoint with an ikeEndpointTable entry.  By using the SNMP
Framework, extract information that would result in one of the following 3
responses (to an input of a physical IP address):
   This address maps to a Phase 1 certificate, with an associated netmask
   xx.xx.xx.xx
   This address maps to an identity that was authenticated in another
   method than IPSec, with an associated netmask xx.xx.xx.xx
   This address does not map to a VPN, and flows through the gateway
   yy.yy.yy.yy

This combination allows an application gateway (I'm after Policy Director,
but Siteminder might fit) to establish roles for client certificates based
on where they originate from. In the case of B2B, I could use the same
personal Client Certificate from two business (probably through a NAT and
then VPN to get to another company and be strongly isolated in the roles I
could fulfill based on the negotiated VPN (and so ID).

Your comments greatly appreciated.. Paul

Paul Wanish Poughkeepsie (845)435-5990 [fax (845)432-9507]
cellphone(914)659-6117

Prev by Date: Protocols that refer AH (was: Death to AH)
Next by Date: certificate request
Prev by thread: Re: SCTP and IPsec issues
Next by thread: certificate request
Index(es):
- Main
- Thread