[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fwd: Re: Son of IKE: A proposal for moving forward
>Paul,
>
>We can no longer consider the cabling within our COs as secure given that
>we are mandated to allow non-Verizon personnel access to, and within,
>these facilities. Consequently we need end-to-end SAs between our network
>elements with the SAs originating/terminating directly on the net
>interfaces within the elements. A VPN approach typically is deployed to
>interconnect two trusted networks over an untrusted third network. Given
>that a very high percentage of attachs are initiated by insiders (as
>documented over the last few years in the CSI surveys) we cannot assume
>any network is inherently trustable. Does that clarify the situation?
>
>Stu
>
>At 6/13/02 09:13 AM, you wrote:
>>Stuart, how does the scenarios you describe *not* fit into the VPN
>>scenarios listed in the requirements document? I don't see anything in
>>your requirements that wouldn't be considered a pretty typical VPN.
>>
>>At 9:14 AM -0400 6/13/02, Stuart Jacobs wrote:
>>>Verizon is in the process of developing the security architecture for
>>>it's next generation networks. Given the magnitude of these networks
>>>and FCC requirements for open access, we must have the ability to
>>>universally establish strongly authenticated identities of communicating
>>>network elements. This authentication must be able to span many trust
>>>domains, be continuous to avoid any chance of session hi-jacking and
>>>scale to millions of nodes. IPsec, coupled with PKI, is the only
>>>technology that can even begin to meet our needs.
>>>
>>>We are relying on this WG to include in it's scope mechanisms that allow
>>>two network elements, regardless of their functions within a network, to
>>>be able to use IKE and ISAKMP, with PKI based X.509 certs, to establish
>>>one or more SAs that these two elements can then use to continuously
>>>authenticate, and optionally encrypt for confidentiality, UDP, TCP or
>>>SCTP transport layer communication sessions. This fundmental capability
>>>is critical for our use of IP technology for the transport of SS7
>>>traffic, VoIP application signalling, (G)MPLS control plane signalling
>>>and OAM&P traffic.
>>
>>--Paul Hoffman, Director
>>--VPN Consortium
>
>==========================
>Stuart Jacobs CISSP
>PMTS - Sr. Technologist
>Verizon Laboratories
>40 Sylvan Road Waltham, MA 02451-1128 USA
>telephone: (781) 466-3076 fax: (781) 466-2838
>stu.jacobs@labs.gte.com sjj0@labs.gte.com stu.jacobs@verizon.com
>==========================
==========================
Stuart Jacobs CISSP
PMTS - Sr. Technologist
Verizon Laboratories
40 Sylvan Road Waltham, MA 02451-1128 USA
telephone: (781) 466-3076 fax: (781) 466-2838
stu.jacobs@labs.gte.com sjj0@labs.gte.com stu.jacobs@verizon.com
==========================