Presentation is loading. Please wait.

Presentation is loading. Please wait.

November 9 1999IPsec Remote Access BOF Washington D.C. November 9 1999.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "November 9 1999IPsec Remote Access BOF Washington D.C. November 9 1999."— Presentation transcript:

1 November 9 1999IPsec Remote Access BOF Washington D.C. November 9 1999

2 IPsec Remote Access BOF Co-chairs: Roy Pereira royp@cisco.com Sara Bitan sarab@radguard.com Mailing list : ietf-ipsra@vpnc.org Subscribe : ietf-ipsra-request@vpnc.org Archive : http://www.vpnc.org/ietf-ipsra/mail-archive

3 November 9 1999IPsec Remote Access BOF Agenda 5 mins Agenda bashing 5 mins High level goals and requirements 10 mins Reading of the Charter 35 mins Discussion of Charter & requirements 5 mins Finalize Charter

4 November 9 1999IPsec Remote Access BOF High Level Goals 1)Provide support for non-PKI scalable legacy end-user authentication technologies. 2)Support dynamic resource assignment. 3)Enhance IKE to support mobile remote users.

5 November 9 1999IPsec Remote Access BOF IPSRA requirements Generic Maintain or exceed security strength Complement current and future IKE specifications –Maintain compatibility with current and future IKE specification Seamless migration from direct-dial remote access –User perspective

6 November 9 1999IPsec Remote Access BOF IPSRA requirements Authentication Support existing legacy user authentication system (e.g. SecurID, RADIUS,CHAP) –seamless integration into an organization’s existing infrastructure. Seamless migration to a PKI

7 November 9 1999IPsec Remote Access BOF IPSRA requirements Configuration Resource allocation (specifically private IP address) –Should be referenceable to IKE IDs. VPN configuration (e.g. allowed subnets, IPsec policy) ???? Distribution of VPN configuration ???

8 November 9 1999IPsec Remote Access BOF Charter The rapid growth of remote access and the subsequent transition from older direct-dial remote access to Internet-based remote access carries with it a requirement for secure communications. While IPsec is an obvious solution in this space, it has several easy-to-fix shortcomings:

9 November 9 1999IPsec Remote Access BOF 1) IPsec, and particular, IKE, assumes the widespread deployment of public-key technology to achieve mutual authentication between parties. There exists a large demand for the support of scalable non (public-key) certificate end-user authentication technologies in the IPsec remote-access space.

10 November 9 1999IPsec Remote Access BOF 2) IPsec makes it difficult to support dynamic resource assignment, particularly addresses, based on authenticated user identity, from within a private address space behind an IPsec security gateway. This is an operational property of the current IKE specification, and implementations.

11 November 9 1999IPsec Remote Access BOF 3) The current IKE protocol does not properly answer the requirements of remote access users when non-certificate based authentication is used. Main mode with shared secret authentication cannot be used with dynamic IP addresses. Aggressive mode is exposed to a wide range of denial of service attacks (unlike main mode). In addition, the use of all the existing modes with the authentication mechanism listed in (2a) below, creates a list of new problems (among them - man in the middle, binding IKE authentication to the user authentication). (If the working group will reach the conclusion that) We will define new IKE modes (are required) to securely support legacy user authentication (then we will move forward to defining such new modes).

12 November 9 1999IPsec Remote Access BOF The outputs of this working group will include: 1) A framework document that specifies the requirements for secure IPsec remote access. This document will identify all the entities participating in the secure remote access, and define the secure remote access architecture.

13 November 9 1999IPsec Remote Access BOF 2) Standards-track documents that fulfill the requirements outlined by the goals of this charter. Specifically: a) A PROPOSED STANDARD (or BCP or Informational) document describing extensions to IPsec and/or IKE to support existing end-user authentication, by itself or in conjunction with another IKE authentication mechanism, including, but not limited to: - username/password (eg. RADIUS PAP) - Tokens: both Challenge/Response and SecurID-like - OTP b) A PROPOSED STANDARD (or BPC or informational) document describing a mechanism for providing secure configuration for remote users needing access to a private network on the other side of an IPsec gateway. At a minimum, this would involve address assignment for the user-side virtual interface.

14 November 9 1999IPsec Remote Access BOF The proposed work items for this group would yield standards that are compatible with the existing IPsec architecture [RFC 2401] and IKE, complementing the standards work achieved by the IPsec Working Group. Since this working group is focusing on IP Security, its protocol specifications will be designed to have no negative impact on the security of the underlying protocols (ESP,AH, and IKE), or the Internet in general.

15 November 9 1999IPsec Remote Access BOF There are existing, marketed, implementations based on previous work in (this field) the user authentication field and thus a major focus for this working group will be to leverage the existing practice and operational experience, and extract from the implementations a scheme that is flexible, and architecturally sound.

16 November 9 1999IPsec Remote Access BOF Thus, this work will be derived from, but not limited to, all or some of the following documents : draft-gupta-ipsec-remote-access draft-aboba-ipsra-req draft-kelly-ipsra-userauth draft-ietf-ipsec-isakmp-hybrid-auth draft-harkins-ipsec-ike-crack draft-ietf-ipsec-iskamp-xauth draft-ietf-ipsec-ike-base-mode draft-ietf-ipsec-isakmp-mode-cfg draft-ietf-ipsec-dhcp draft-ietf-pppext-l2tp-security draft-ietf-pppext-secure-ra

17 November 9 1999IPsec Remote Access BOF Milestones: November 1999: Second BOF meeting November 1999: New drafts of addressing mechanisms November 1999: New drafts of authentication mechanisms January 2000: First draft of framework document February 2000: Framework document submitted for standards track March 2000: First WG meeting May 2000: Addressing mechanism document submitted for standards track May 2000: Authentication mechanism document submitted for standards track May 2000: Enhanced IKE document submitted for standards track

Download ppt "November 9 1999IPsec Remote Access BOF Washington D.C. November 9 1999."

Similar presentations

PAWS BOF Protocol to Access White Space DB IETF 80 Gabor Bajko, Brian Rosen.

PAWS BOF Protocol to Access White Space DB IETF 80 Gabor Bajko, Brian Rosen.
Secure Mobile IP Communication

Secure Mobile IP Communication
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.

Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
DHCP Configuration of IPSEC Tunnel Mode Draft-ipsec-dhcp-08.txt Bernard Aboba Microsoft.

DHCP Configuration of IPSEC Tunnel Mode Draft-ipsec-dhcp-08.txt Bernard Aboba Microsoft.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.

Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
IPv6 over xDSL: The DIODOS Proposal Athanassios Liakopoulos Greek Research & Technology Network International IPv6 Workshop, Kopaonik,

IPv6 over xDSL: The DIODOS Proposal Athanassios Liakopoulos Greek Research & Technology Network International IPv6 Workshop, Kopaonik,
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted.

1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
Evaluation of an internet protocol security based virtual private network solution Thesis written by Arto Laukka at TeliaSonera Finland Oyj SupervisorProfessor.

Evaluation of an internet protocol security based virtual private network solution Thesis written by Arto Laukka at TeliaSonera Finland Oyj SupervisorProfessor.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
A Survey on Interfaces to Network Security

A Survey on Interfaces to Network Security
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
Host Mobility for IP Networks CSCI 6704 Group Presentation presented by Ye Liang, ChongZhi Wang, XueHai Wang March 13, 2004.

Host Mobility for IP Networks CSCI 6704 Group Presentation presented by Ye Liang, ChongZhi Wang, XueHai Wang March 13, 2004.

Similar presentations

Ads by Google