Status report for draft-ietf-ipsec-pki-profile - PowerPoint PPT Presentation

About This Presentation
Title:

Status report for draft-ietf-ipsec-pki-profile

Description:

For IP addresses, email addresses, and DNS names, you MUST be able to support ... For Subjects, MUST support lookup on any combination of C, CN, O, or OU. ... – PowerPoint PPT presentation

Number of Views:51
Avg rating:3.0/5.0
Slides: 11
Provided by: PaulHo95
Learn more at: https://www.ietf.org
Category:
Tags: draft | ietf | ipsec | lookup | pki | profile | report | status

less

Transcript and Presenter's Notes

Title: Status report for draft-ietf-ipsec-pki-profile


1
Status report fordraft-ietf-ipsec-pki-profile
  • Paul Hoffman, Director
  • VPN Consortium (paul.hoffman_at_vpnc.org)
  • for Brian Korver (briank_at_briank.com)

2
Recent status
  • Brian Korver turned in draft-ietf-ipsec-pki-profil
    e-04 sent to the list last week
  • Currently available at lthttp//www.icsalabs.com/ht
    ml/communities/pki4ipsec/draft-ietf-ipsec-pki-prof
    ile-04.txtgt
  • Will be posted to main IETF repository after this
    week

3
Reorganization
  • Identities in certs and ID payloads are now
    discussed in fewer places
  • Introductions appear only once for many topics
  • More to be done trying to shorten the document
    by collecting topics into one place

4
Mailing list issues on identity
  • Significance of the ID payload
  • Which ID fields in certs MUST be supported
  • How to tie IKE ID to Cert contents

5
MUST be able to send IDs of...
  • IP address
  • DNS name
  • Email address
  • Subject names
  • MUST NOT send IP ranges or KeyIDs

6
Matching the ID payload to the cert contents
  • The ID in the ID payload MUST match the contents
    of the corresponding field (listed) in the
    certificate exactly, with no other lookup.
  • The matched ID MAY be used for SPD lookup, but is
    not required to be used for this.
  • Mappings
  • IPV46_ADDR ? SubjAltName iPAddress
  • FQDN ? SubjAltName dNSName
  • USER_FQDN ? SubjAltName rfc822Name
  • DN ? Entire Subject, bitwise compare

7
Matching the ID to the SPD
  • For IP addresses, email addresses, and DNS names,
    you MUST be able to support exact matching in the
    SPD, but MAY also support substring or wildcard
    matches.
  • For Subjects, MUST support lookup on any
    combination of C, CN, O, or OU. You MAY also
    support substring or wildcard matches.
  • You MAY match on additional cert DN attributes,
    but all bets are off for interop.

8
Other list agreements
  • Both sides must always send their own
    certificates
  • No other certificate payloads all PKI lifecycle
    information is carried in its own protocol.
  • Need to deal with situations where that protocol
    must be run over IPsec

9
Next version of the draft will...
  • Be more consistent on these changes
  • Coalesce more related topics so reading is easier
  • Deal with even more open issues from the mailing
    list

10
Next steps
  • Should this document be a WG item?
  • What are the open issues remaining?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Status report for draft-ietf-ipsec-pki-profile" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!