Requirements for an IPsec Certificate Management Profile
RFC 4809
Document | Type | RFC - Informational (February 2007; No errata) | |
---|---|---|---|
Authors | Chistopher Bonatti , Sean Turner , Gregory Lebovitz | ||
Last updated | 2015-10-14 | ||
Stream | Internent Engineering Task Force (IETF) | ||
Formats | plain text html pdf htmlized (tools) htmlized bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4809 (Informational) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Russ Housley | ||
Send notices to | (None) |
Network Working Group C. Bonatti, Ed. Request for Comments: 4809 S. Turner, Ed. Category: Informational IECA G. Lebovitz, Ed. Juniper February 2007 Requirements for an IPsec Certificate Management Profile Status of This Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The IETF Trust (2007). Abstract This informational document describes and identifies the requirements for transactions to handle Public Key Certificate (PKC) lifecycle transactions between Internet Protocol Security (IPsec) Virtual Private Network (VPN) Systems using Internet Key Exchange (IKE) (versions 1 and 2) and Public Key Infrastructure (PKI) Systems. These requirements are designed to meet the needs of enterprise-scale IPsec VPN deployments. It is intended that a standards track profile of a management protocol will be created to address many of these requirements. Bonatti, et al. Informational [Page 1] RFC 4809 Reqs for IPsec Certificate Mgmt Profile February 2007 Table of Contents 1. Introduction ....................................................4 1.1. Scope ......................................................5 1.2. Non-Goals ..................................................6 1.3. Definitions ................................................6 1.4. Requirements Terminology ...................................8 2. Architecture ....................................................9 2.1. VPN System .................................................9 2.1.1. IPsec Peer(s) .......................................9 2.1.2. VPN Administration Function (Admin) .................9 2.2. PKI System ................................................10 2.3. VPN-PKI Interaction .......................................11 3. Requirements ...................................................13 3.1. General Requirements ......................................13 3.1.1. One Protocol .......................................13 3.1.2. Secure Transactions ................................13 3.1.3. Admin Availability .................................13 3.1.4. PKI Availability ...................................14 3.1.5. End-User Transparency ..............................14 3.1.6. PKC Profile for PKI Interaction ....................14 3.1.6.1. Identity ..................................15 3.1.6.2. Key Usage .................................15 3.1.6.3. Extended Key Usage ........................15 3.1.6.4. Revocation Information Location ...........15 3.1.7. Error Handling .....................................15 3.2. Authorization .............................................15 3.2.1. One Protocol .......................................15 3.2.2. Bulk Authorization .................................16 3.2.3. Authorization Scenario .............................16 3.2.4. Authorization Request ..............................17 3.2.4.1. Specifying Fields within the PKC ..........17 3.2.4.2. Authorizations for Rekey, Renewal, and Update ................................18 3.2.4.3. Other Authorization Elements ..............18 3.2.4.4. Cancel Capability .........................19 3.2.5. Authorization Response .............................19 3.2.5.1. Error Handling for Authorization ..........20 3.3. Generation ................................................20 3.3.1. Generation Method 1: IPsec Peer Generates Key Pair, Constructs PKC Request, and Signs PKC Request ......21 3.3.2. Generation Method 2: IPsec Peer Generates Key Pair, Admin Constructs PKS Request, Admin Signs PKC Request ............................................22 3.3.3. Generation Method 3: Admin Generates Key Pair, Constructs PKC Request, and Signs PKC Request ......23 3.3.4. Method 4: PKI Generates Key Pair ...................24 3.3.5. Error Handling for Generation ......................25 Bonatti, et al. Informational [Page 2] RFC 4809 Reqs for IPsec Certificate Mgmt Profile February 2007Show full document text