Requirements for IPsec Remote Access Scenarios
RFC 3457
Document Type RFC - Informational (January 2003; No errata)
Last updated 2015-10-14
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3457 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Steven Bellovin
IESG note Responsible: Author
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                           S. Kelly
Request for Comments: 3457                                     Airespace
Category: Informational                                   S. Ramamoorthi
                                                        Juniper Networks
                                                            January 2003

             Requirements for IPsec Remote Access Scenarios

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   IPsec offers much promise as a secure remote access mechanism.
   However, there are a number of differing remote access scenarios,
   each having some shared and some unique requirements.  A thorough
   understanding of these requirements is necessary in order to
   effectively evaluate the suitability of a specific set of mechanisms
   for any particular remote access scenario.  This document enumerates
   the requirements for a number of common remote access scenarios.

Table of Contents

   1. Introduction  . . . . . . . . . . . . . . . . . . . . . . .   2
      1.1 Requirements Terminology . . . . . . . . . . . . . . . .  3
      1.2 Reader Prerequisites . . . . . . . . . . . . . . . . . .  3
      1.3 General Terminology  . . . . . . . . . . . . . . . . . .  4
      1.4 Document Content and Organization  . . . . . . . . . . .  4
   2. Overview  . . . . . . . . . . . . . . . . . . . . . . . . .   5
      2.1 Endpoint Authentication . . . . . . . . . . . . . . . .   6
         2.1.1 Machine-Level Authentication . . . . . . . . . . .   7
         2.1.2 User-Level Authentication  . . . . . . . . . . . .   7
         2.1.3 Combined User/Machine Authentication . . . . . . .   8
         2.1.4 Remote Access Authentication . . . . . . . . . . .   8
         2.1.5 Compatibility With Legacy Remote Access Mechanisms   9
      2.2 Remote Host Configuration  . . . . . . . . . . . . . . . 10
      2.3 Security Policy Configuration  . . . . . . . . . . . . . 11
      2.4 Auditing . . . . . . . . . . . . . . . . . . . . . . . . 12
      2.5 Intermediary Traversal . . . . . . . . . . . . . . . . . 13

Kelly & Ramamoorthi          Informational                      [Page 1]
RFC 3457             IPsec Remote Access Scenarios          January 2003

   3. Scenarios . . . . . . . . . . . . . . . . . . . . . . . . .  13
      3.1 Telecommuters (Dialup/DSL/Cablemodem)  . . . . . . . . . 14
         3.1.1 Endpoint Authentication Requirements . . . . . . .  15
         3.1.2 Device Configuration Requirements  . . . . . . . .  16
         3.1.3 Policy Configuration Requirements  . . . . . . . .  17
         3.1.4 Auditing Requirements  . . . . . . . . . . . . . .  18
         3.1.5 Intermediary Traversal Requirements  . . . . . . .  18
      3.2 Corporate to Remote Extranet . . . . . . . . . . . . . . 19
         3.2.1 Authentication Requirements  . . . . . . . . . . .  19
         3.2.2 Device Configuration Requirements  . . . . . . . .  20
         3.2.3 Policy Configuration Requirements  . . . . . . . .  21
         3.2.4 Auditing Requirements  . . . . . . . . . . . . . .  21
         3.2.5 Intermediary Traversal Requirements  . . . . . . .  21
      3.3 Extranet Laptop to Home Corporate Net . . . . . . . . .  22
         3.3.1 Authentication Requirements  . . . . . . . . . . .  22
         3.3.2 Device Configuration Requirements  . . . . . . . .  23
         3.3.3 Policy Configuration Requirements  . . . . . . . .  23
         3.3.4 Auditing Requirements  . . . . . . . . . . . . . .  24
         3.3.5 Intermediary Traversal Requirements  . . . . . . .  24
      3.4 Extranet Desktop to Home Corporate Net . . . . . . . . . 25
         3.4.1 Authentication Requirements  . . . . . . . . . . .  25
         3.4.2 Device Configuration Requirements  . . . . . . . .  26
         3.4.3 Policy Configuration Requirements  . . . . . . . .  26
         3.4.4 Auditing Requirements  . . . . . . . . . . . . . .  26
         3.4.5 Intermediary Traversal Requirements  . . . . . . .  26
      3.5 Public System to Target Network . . . . . . . . . . . .  27
         3.5.1 Authentication Requirements  . . . . . . . . . . .  27
         3.5.2 Device Configuration Requirements  . . . . . . . .  28
         3.5.3 Policy  Configuration Requirements . . . . . . . .  28
         3.5.4 Auditing Requirements  . . . . . . . . . . . . . .  29
         3.5.5 Intermediary Traversal Requirements  . . . . . . .  29
   4. Scenario Commonalities  . . . . . . . . . . . . . . . . . .  29
   5. Security Considerations . . . . . . . . . . . . . . . . . .  30
   6. References  . . . . . . . . . . . . . . . . . . . . . . . .  30
   7. Acknowledgements  . . . . . . . . . . . . . . . . . . . . .  30
   8. Editors' Addresses. . . . . . . . . . . . . . . . . . . . .  30
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools