[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: Re: Son of IKE: A proposal for moving forward




>Paul,
>
>We can no longer consider the cabling within our COs as secure given that 
>we are mandated to allow non-Verizon personnel access to, and within, 
>these facilities.  Consequently we need end-to-end SAs between our network 
>elements with the SAs originating/terminating directly on the net 
>interfaces within the elements.  A VPN approach typically is deployed to 
>interconnect two trusted networks over an untrusted third network.  Given 
>that a very high percentage of attachs are initiated by insiders (as 
>documented over the last few years in the CSI surveys)  we cannot assume 
>any network is inherently trustable.  Does that clarify the situation?
>
>Stu
>
>At 6/13/02 09:13 AM, you wrote:
>>Stuart, how does the scenarios you describe *not* fit into the VPN 
>>scenarios listed in the requirements document? I don't see anything in 
>>your requirements that wouldn't be considered a pretty typical VPN.
>>
>>At 9:14 AM -0400 6/13/02, Stuart Jacobs wrote:
>>>Verizon is in the process of developing the security architecture for 
>>>it's next generation networks.  Given the magnitude of these networks 
>>>and FCC requirements for open access, we must have the ability to 
>>>universally establish strongly authenticated identities of communicating 
>>>network elements.  This authentication must be able to span many trust 
>>>domains, be continuous to avoid any chance of session hi-jacking and 
>>>scale to millions of nodes.  IPsec, coupled with PKI, is the only 
>>>technology that can even begin to meet our needs.
>>>
>>>We are relying on this WG to include in it's scope mechanisms that allow 
>>>two network elements, regardless of their functions within a network, to 
>>>be able to use IKE and ISAKMP, with PKI based X.509 certs, to establish 
>>>one or more SAs that these two elements can then use to continuously 
>>>authenticate, and optionally encrypt for confidentiality, UDP, TCP or 
>>>SCTP transport layer communication sessions.  This fundmental capability 
>>>is critical for our use of IP technology for the transport of SS7 
>>>traffic, VoIP application signalling, (G)MPLS control plane signalling 
>>>and OAM&P traffic.
>>
>>--Paul Hoffman, Director
>>--VPN Consortium
>
>==========================
>Stuart Jacobs CISSP
>PMTS - Sr. Technologist
>Verizon Laboratories
>40 Sylvan Road Waltham, MA 02451-1128     USA
>telephone: (781) 466-3076   fax: (781) 466-2838
>stu.jacobs@labs.gte.com sjj0@labs.gte.com  stu.jacobs@verizon.com
>==========================

==========================
Stuart Jacobs CISSP
PMTS - Sr. Technologist
Verizon Laboratories
40 Sylvan Road Waltham, MA 02451-1128     USA
telephone: (781) 466-3076   fax: (781) 466-2838
stu.jacobs@labs.gte.com sjj0@labs.gte.com  stu.jacobs@verizon.com
==========================