Requirements for an IPsec Certificate Management Profile
RFC 4809
Document Type RFC - Informational (February 2007; No errata)
Last updated 2015-10-14
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 4809 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Russ Housley
Send notices to (None)
Email authors IPR References Referenced by Nits 
Network Working Group                                    C. Bonatti, Ed.
Request for Comments: 4809                                S. Turner, Ed.
Category: Informational                                             IECA
                                                        G. Lebovitz, Ed.
                                                                 Juniper
                                                           February 2007

       Requirements for an IPsec Certificate Management Profile

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   This informational document describes and identifies the requirements
   for transactions to handle Public Key Certificate (PKC) lifecycle
   transactions between Internet Protocol Security (IPsec) Virtual
   Private Network (VPN) Systems using Internet Key Exchange (IKE)
   (versions 1 and 2) and Public Key Infrastructure (PKI) Systems.
   These requirements are designed to meet the needs of enterprise-scale
   IPsec VPN deployments.  It is intended that a standards track profile
   of a management protocol will be created to address many of these
   requirements.

Bonatti, et al.             Informational                       [Page 1]
RFC 4809        Reqs for IPsec Certificate Mgmt Profile    February 2007

Table of Contents

   1. Introduction ....................................................4
      1.1. Scope ......................................................5
      1.2. Non-Goals ..................................................6
      1.3. Definitions ................................................6
      1.4. Requirements Terminology ...................................8
   2. Architecture ....................................................9
      2.1. VPN System .................................................9
           2.1.1. IPsec Peer(s) .......................................9
           2.1.2. VPN Administration Function (Admin) .................9
      2.2. PKI System ................................................10
      2.3. VPN-PKI Interaction .......................................11
   3. Requirements ...................................................13
      3.1. General Requirements ......................................13
           3.1.1. One Protocol .......................................13
           3.1.2. Secure Transactions ................................13
           3.1.3. Admin Availability .................................13
           3.1.4. PKI Availability ...................................14
           3.1.5. End-User Transparency ..............................14
           3.1.6. PKC Profile for PKI Interaction ....................14
                  3.1.6.1. Identity ..................................15
                  3.1.6.2. Key Usage .................................15
                  3.1.6.3. Extended Key Usage ........................15
                  3.1.6.4. Revocation Information Location ...........15
           3.1.7. Error Handling .....................................15
      3.2. Authorization .............................................15
           3.2.1. One Protocol .......................................15
           3.2.2. Bulk Authorization .................................16
           3.2.3. Authorization Scenario .............................16
           3.2.4. Authorization Request ..............................17
                  3.2.4.1. Specifying Fields within the PKC ..........17
                  3.2.4.2. Authorizations for Rekey, Renewal,
                           and Update ................................18
                  3.2.4.3. Other Authorization Elements ..............18
                  3.2.4.4. Cancel Capability .........................19
           3.2.5. Authorization Response .............................19
                  3.2.5.1. Error Handling for Authorization ..........20
      3.3. Generation ................................................20
           3.3.1. Generation Method 1: IPsec Peer Generates Key Pair,
                  Constructs PKC Request, and Signs PKC Request ......21
           3.3.2. Generation Method 2: IPsec Peer Generates Key Pair,
                  Admin Constructs PKS Request, Admin Signs PKC
                  Request ............................................22
           3.3.3. Generation Method 3: Admin Generates Key Pair,
                  Constructs PKC Request, and Signs PKC Request ......23
           3.3.4. Method 4: PKI Generates Key Pair ...................24
           3.3.5. Error Handling for Generation ......................25

Bonatti, et al.             Informational                       [Page 2]
Show full document text
ISOC IETF Trust RFC Editor IRTF IESG IETF IAB IASA & IAOC IETF Tools IANA