PIC, A Pre-IKE Credential Provisioning Protocol
draft-ietf-ipsra-pic-07
| Document | Type | Expired Internet-Draft (ipsra WG) | |
|---|---|---|---|
| Authors | Dr. Bernard D. Aboba , Dr. Hugo Krawczyk , Yaron Sheffer | ||
| Last updated | 2015-10-14 (Latest revision 2004-08-24) | ||
| Stream | Internet Engineering Task Force (IETF) | ||
| Formats |
Expired & archived
bibtex
|
||
| Stream | WG state | WG Document | |
| Document shepherd | (None) | ||
| IESG | IESG state | Expired (IESG: Dead) | |
| Consensus boilerplate | Unknown | ||
| Telechat date | (None) | ||
| Responsible AD | Steven M. Bellovin | ||
| IESG note | Responsible: undefined | ||
| Send notices to | (None) |
https://www.ietf.org/archive/id/draft-ietf-ipsra-pic-07.txt
Abstract
This document presents a Pre-IKE Credential (PIC) provisioning protocol. PIC is a method to bootstrap IPsec authentication via an 'Authentication Server' (AS) and user authentication mechanisms such as RADIUS. PIC happens before IKE (the Internet Key Exchange protocol). The client machine communicates with the AS using a key exchange protocol where only the server is authenticated, and the derived keys are used to protect the user authentication. Once the user is authenticated, the client machine obtains credentials from the AS that can be later used to authenticate the client in a standard IKE exchange, with no user intervention. The proposed key exchange is based on ISAKMP (the Internet Security Association and Key Management Protocol), similar to a simplified IKE exchange. Arbitrary user authentication is supported via the use of EAP (the PPP Extensible Authentication Protocol).
Authors
Dr. Bernard D. Aboba
Dr. Hugo Krawczyk
Yaron Sheffer
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)