Skip to main content

PIC, A Pre-IKE Credential Provisioning Protocol
draft-ietf-ipsra-pic-07

Document Type Expired Internet-Draft (ipsra WG)
Expired & archived
Authors Dr. Bernard D. Aboba , Dr. Hugo Krawczyk , Yaron Sheffer
Last updated 2015-10-14 (Latest revision 2004-08-24)
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status Proposed Standard
Formats
Additional resources Mailing list discussion
Stream WG state WG Document
Document shepherd (None)
IESG IESG state Expired (IESG: Dead)
Action Holders
(None)
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD Steven M. Bellovin
IESG note
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:

Abstract

This document presents a Pre-IKE Credential (PIC) provisioning protocol. PIC is a method to bootstrap IPsec authentication via an 'Authentication Server' (AS) and user authentication mechanisms such as RADIUS. PIC happens before IKE (the Internet Key Exchange protocol). The client machine communicates with the AS using a key exchange protocol where only the server is authenticated, and the derived keys are used to protect the user authentication. Once the user is authenticated, the client machine obtains credentials from the AS that can be later used to authenticate the client in a standard IKE exchange, with no user intervention. The proposed key exchange is based on ISAKMP (the Internet Security Association and Key Management Protocol), similar to a simplified IKE exchange. Arbitrary user authentication is supported via the use of EAP (the PPP Extensible Authentication Protocol).

Authors

Dr. Bernard D. Aboba
Dr. Hugo Krawczyk
Yaron Sheffer

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)