[Search] [txt|pdf|bibtex] [Tracker] [Email] [Nits]

Versions: 00                                                            
IPSP Working Group             M. Richardson, Sandelman Software Works
Internet Draft                        A. Keromytis, U. of Pennsylvania
draft-richardson-ipsp-requirements-00.txt               L. Sanchez, BBN/GTEI
Expires April, 2000

            IPsec Policy Discovery Protocol requirements

Status of this Memo

This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC2026.

Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time.  It is inappropriate to use Internet- Drafts
as reference material or to cite them other than as "work in

    The list of current Internet-Drafts can be accessed at

     The list of Internet-Draft Shadow Directories can be accessed at

To view the entire list of current Internet-Drafts, please check
the "1id-abstracts.txt" listing contained in the Internet-Drafts
Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net
(Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au
(Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US
West Coast).


This document describes the problem and solution requirements for
an IPsec Policy Discovery protocol.

1.0 Introduction

1.1 Definition of terminology

Network security technologies are quickly being deployed over the
Internet these days; in particular, two categories enjoy widespread

a) security enforcement agents
   Security gateways (commonly known as firewalls) are being installed
   along the perimeter of private internets to enforce access control
   and protect confidentiality of network traffic; these upper-layer
   gateways along with traditional link encryptors make up a scattered
   and uncoordinated set of security enforcement agents attempting to
   protect the Internet traffic.

b) secure communication protocols
   Cryptographic algorithms are being incorporated into secure
   communication protocols such as IPSec, SSL and SOCKS in order to
   support strong data integrity, authentication, and confidentiality

On one hand, these technologies provide the much needed security
protection over the open Internet; on the other hand, they create a
complex management task that beg for scalable solutions.

The deployment of security gateways divides the Internet into
heterogeneous regions upholding different security policies, and the use
of different cryptographic mechanisms at multiple protocol layers
creates the need for negotiating the security mechanism and the key
parameters. As a result, in order to support a secure communication-
between two or more end-points, all the end-points and the security
enforcement agents on the communication's route must work together to
determine the suite of security services that can satisfy the security
policies, and negotiate a common set of security mechanisms to implement
these security services. While the negotiation of security mechanisms
and key parameters may be supported by key management protocols such as
ISAKMP [RFC-2408], a general and efficient process for managing the
security policies and deducing the security services for this
multi-party multi-layer security enforcement strategy is still

A IPsec Policy Discovery Protocol (IPDP) must provide the
essential infrastructure and the protocols necessary for conducting
this process. An IPDP must provide
IPSec with the scalability and management needed to become fully
deployable in operational environments.

1.2 Problem Description

The security management problem can be restated in the form of the
following four questions:

a) How does one manage the process of creating and modifying security
policies so as to maintain their mutual consistency?

b) How does one deduce the security requirements of an inter-domain
communication based on the security policies of network domains?

c) How to select the choices of security services and enforcement
agents in order to satisfy the security requirements?

d) How to orchestrate the negotiation of security mechanisms and
cryptographic parameters in order to provide seamless support of
security services?

The security management and scalability problems found in IPSec are
captured in the following example:

In order to pass IP datagrams through several layers of IPSec-based
firewalls, both the source and the destination of the datagrams must
establish security associations with all or some of these firewalls
encountered en-route.

However, neither the source nor the destination may know of the
existence of all intermediate firewalls a priori, due to either their
lack of knowledge about the network topology or the dynamics of the
routing algorithms.

Consequently, negotiations must be conducted in sequence, on a
trial-and-error basis. For instance, the source may become aware of the
presence of a firewall if it receives ICMP messages from the firewall as
it discards the packets for which it doesn't have a security

The source must then negotiate a security association with the firewall,
use session keys to authenticate and/or encrypt the packets and
retransmit them to the firewall.

This process could be repeated until no more ICMP messages are received
from any firewall and the source is certain that the packets have
successfully arrived at their destination.

This clumsy process can be further complicated by the fact that many
firewalls may drop the packets without sending back any ICMP
messages. Also, long-term security associations may have been arranged
between some of the firewalls if technologies such as virtual private
networks (VPNs) are used in part of the Internet. As a result, the tasks
of finding existing security associations while negotiating for
necessary new ones can be difficult, time consuming, and probably
impossible to complete.

1.3 Basic Terminology

Security Gateway
        A security gateway refers to an intermediate system that
        implements IPSec protocols. For example, a router or a
        firewall implementing IPSec is a security gateway.

Security Domain
        A set of communicating entities and resources that share a
        common security policy enforced at a security gateway or
        host. The definition of security domain applies to networks
        protected by security gateways as well as to single
        hosts since a host could be the enforcer of its own
        policies. Security domains could exist inside other security

Security Association
        A simplex "connection" that affords security services to the
        traffic carried by it.  Two types of securiy associations
        (SAs) are defined: transport mode and mode.  A transport
        mode SA is a security association between two hosts.  A
        tunnel mode SA is essentially an SA applied to an IP tunnel.
        Whenever either end of a security association is a security
        gateway, the SA MUST be tunnel mode.

Security Association Bundle
        A group of security associations that are used for
        communications that share a common endpoint.  For example,
        all the SAs that a particular host needs to use to
        communicate with another host, including any SAs that host
        itself needs with intermediate gateways.

2.0 IPDP feature requirements

A IPsec Policy Discovery Protocol must be a distributed system
which provides hosts and security gateways with the policy information
required to establish a secure communication end-to-end. The goal of
a policy discovery protocol is to provide the following services to
hosts and security gateways:

1. Discovery of security gateways
2. Management of dynamic security associations.
3. Resolution of security requirements for inter-domain communication
4. Consistency checking of local security policies.

As part of this, a Policy Discovery Protocol should provide a language
that allows one to specify security policies in terms of primitives such
as user identity or role, source and destination machine address and
port number, encryption and authentication algorithms.

A host should be able to discover any remote security gateways relevant
in an end-to-end communication.  The host must be able to validate the
identities of (local and remote) security policy agents and security
gateways. It must be able to verify that the gateways in question are
entitled to represent a destination host.

A related service required by the IPsec Policy Discovery Protocol is a
mechanism to express security policies and to populate a security server
with the policies for a given security domain. The mechanism should
follow an object-oriented approach, where one can declare various
configuration objects within a security domain as part of an overall
hierarchy supporting inheritance.

Attributes of the objects should be mandatory or optional. A mandatory
attribute has to be defined for all objects of the class; optional
attributes can be skipped. Attributes can also be single or multiple

2.1 IPDP architecture requirements

The architectural requirements of the IPsec Policy Discovery Protocol
are as follows:

2.1.1 Discover Gateways

        IPDP must be able to determine a set of necessary security
        gateways through which a message must travel to complete a
        communication on a single path between two hosts.

2.1.2 Verify Identities

        IPDP must allow hosts to verify the identities of gateways
        and other hosts with which they are communicating.  It must
        also be able to verify that a gateway that claims to represent
        a particular host actually does have the authority to represent
        that host.

2.1.3 Manage Bundles of Security Associations

        IPDP must be able to effectively manage bundles of security
        associations.  It must be able to create bundles from policy
        information, determine if existing security associations or
        bundles may be used when creating new bundles, create new
        security associations as needed for new bundles, and keep
        security associations in existing bundles up-to-date.

2.1.4 Require no changes to security protocols

        IPDP must not require changes, additions or modifications to the
        algorithms or protocols of the security protocols that use it.

2.1.5 Key Management Protocol Independence

        IPDP must be independent of any particular key management

2.1.6 No Exterior Infrastructure Dependency

        IPDP must not depend upon an exterior infrastructure, although
        implementations may use an exterior infrastructure. For example,
        public keys may be distributed using the existing DNS
        infrastructure.  IPDP must not prohibit other means for
        distributing keys.  Particular implementations may, however,
        rely on the DNS for key distribution, though they may not be as
        robust as implementations that provide several key distribution

        It is necessary, however, that the routing infrastructure be in
        place so IPDP servers may be contacted.  This is not a difficult
        requirement, since that infrastructure must be in place to send
        the communications that require the use of IPDP.


[RFC-2401] S. Kent, R. Atkinson, RFC2401: "Security Architecture for the
           Internet Protocol", November 1998.

[RFC-2408] D. Maughan, M. Shertler, M. Schneider, J. Turner, RFC2408:
           "Internet Security Association and Key Management Protocol
           (ISAKMP)", November 1998.

Author's Address

   Michael C. Richardson                      Luis A. Sanchez
   Sandelman Software Works Corp.             BBN Technologies
   152 Rochester Street                       GTE Internetworking
   Ottawa, ON K1R 7M4                         10 Moulton Street
   Canada                                     Cambridge, MA  02140
   Telephone:   +1 613 276-6809               Telephone: +1 (617) 873-3351
   EMail:       mcr@sandelman.ottawa.on.ca    Email: lsanchez@bbn.com

   Angelos D. Keromytis
   Distributed Systems Lab
   CIS Department, University of Pennsylvania
   200 S. 33rd Street
   Philadelphia, Pennsylvania  19104-6389

   EMail: angelos@dsl.cis.upenn.edu

Expiration and File Name

   This draft expires April 1, 2000

   Its file name is draft-ietf-ipsp-requirements-00.txt