Requirements for an IPsec Certificate Management Profile
RFC 4809

Document Type RFC - Informational (February 2007; No errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Consensus Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 4809 (Informational)
Telechat date
Responsible AD Russ Housley
Send notices to pki4ipsec-chairs@ietf.org, turners@ieca.com
Network Working Group                                    C. Bonatti, Ed.
Request for Comments: 4809                                S. Turner, Ed.
Category: Informational                                             IECA
                                                        G. Lebovitz, Ed.
                                                                 Juniper
                                                           February 2007

       Requirements for an IPsec Certificate Management Profile

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   This informational document describes and identifies the requirements
   for transactions to handle Public Key Certificate (PKC) lifecycle
   transactions between Internet Protocol Security (IPsec) Virtual
   Private Network (VPN) Systems using Internet Key Exchange (IKE)
   (versions 1 and 2) and Public Key Infrastructure (PKI) Systems.
   These requirements are designed to meet the needs of enterprise-scale
   IPsec VPN deployments.  It is intended that a standards track profile
   of a management protocol will be created to address many of these
   requirements.

Bonatti, et al.             Informational                       [Page 1]
RFC 4809        Reqs for IPsec Certificate Mgmt Profile    February 2007

Table of Contents

   1. Introduction ....................................................4
      1.1. Scope ......................................................5
      1.2. Non-Goals ..................................................6
      1.3. Definitions ................................................6
      1.4. Requirements Terminology ...................................8
   2. Architecture ....................................................9
      2.1. VPN System .................................................9
           2.1.1. IPsec Peer(s) .......................................9
           2.1.2. VPN Administration Function (Admin) .................9
      2.2. PKI System ................................................10
      2.3. VPN-PKI Interaction .......................................11
   3. Requirements ...................................................13
      3.1. General Requirements ......................................13
           3.1.1. One Protocol .......................................13
           3.1.2. Secure Transactions ................................13
           3.1.3. Admin Availability .................................13
           3.1.4. PKI Availability ...................................14
           3.1.5. End-User Transparency ..............................14
           3.1.6. PKC Profile for PKI Interaction ....................14
                  3.1.6.1. Identity ..................................15
                  3.1.6.2. Key Usage .................................15
                  3.1.6.3. Extended Key Usage ........................15
                  3.1.6.4. Revocation Information Location ...........15
           3.1.7. Error Handling .....................................15
      3.2. Authorization .............................................15
           3.2.1. One Protocol .......................................15
           3.2.2. Bulk Authorization .................................16
           3.2.3. Authorization Scenario .............................16
           3.2.4. Authorization Request ..............................17
                  3.2.4.1. Specifying Fields within the PKC ..........17
                  3.2.4.2. Authorizations for Rekey, Renewal,
                           and Update ................................18
                  3.2.4.3. Other Authorization Elements ..............18
                  3.2.4.4. Cancel Capability .........................19
           3.2.5. Authorization Response .............................19
                  3.2.5.1. Error Handling for Authorization ..........20
      3.3. Generation ................................................20
           3.3.1. Generation Method 1: IPsec Peer Generates Key Pair,
                  Constructs PKC Request, and Signs PKC Request ......21
           3.3.2. Generation Method 2: IPsec Peer Generates Key Pair,
                  Admin Constructs PKS Request, Admin Signs PKC
                  Request ............................................22
           3.3.3. Generation Method 3: Admin Generates Key Pair,
                  Constructs PKC Request, and Signs PKC Request ......23
           3.3.4. Method 4: PKI Generates Key Pair ...................24
           3.3.5. Error Handling for Generation ......................25

Bonatti, et al.             Informational                       [Page 2]
Show full document text