PIC, A Pre-IKE Credential Provisioning Protocol
draft-ietf-ipsra-pic-07
Document | Type |
Expired Internet-Draft
(ipsra WG)
Expired & archived
|
|
---|---|---|---|
Authors | Dr. Bernard D. Aboba , Dr. Hugo Krawczyk , Yaron Sheffer | ||
Last updated | 2015-10-14 (Latest revision 2004-08-24) | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Intended RFC status | Proposed Standard | ||
Formats | |||
Additional resources | Mailing list discussion | ||
Stream | WG state | WG Document | |
Document shepherd | (None) | ||
IESG | IESG state | Expired (IESG: Dead) | |
Action Holders |
(None)
|
||
Consensus boilerplate | Unknown | ||
Telechat date | (None) | ||
Responsible AD | Steven M. Bellovin | ||
IESG note | |||
Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
This document presents a Pre-IKE Credential (PIC) provisioning protocol. PIC is a method to bootstrap IPsec authentication via an 'Authentication Server' (AS) and user authentication mechanisms such as RADIUS. PIC happens before IKE (the Internet Key Exchange protocol). The client machine communicates with the AS using a key exchange protocol where only the server is authenticated, and the derived keys are used to protect the user authentication. Once the user is authenticated, the client machine obtains credentials from the AS that can be later used to authenticate the client in a standard IKE exchange, with no user intervention. The proposed key exchange is based on ISAKMP (the Internet Security Association and Key Management Protocol), similar to a simplified IKE exchange. Arbitrary user authentication is supported via the use of EAP (the PPP Extensible Authentication Protocol).
Authors
Dr. Bernard D. Aboba
Dr. Hugo Krawczyk
Yaron Sheffer
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)