IETF IPSRA WG ??

1
IETF IPSRA WG ??

• ? ? ?
• ???????
• ?????
• ksl_at_dongeui.ac.kr

2
Outline

• Background
• Problems
• WG Goals
• Requirements draft
• Authentication draft
• Configuration draft
• References

3
Background

• Typical remote access in recent past
• dial-up users via PSTN to network access server
• PPP-based protocol
• access control, authorization, and accounting
  functions
• RADIUS, TACACS, etc. 5
• Growing internet access via ISP
• Advent of IPSEC
• Remote access in future
• IPsec-based solution

4
Problems to be solved

• User authentication requires human interaction
• IPSEC IKE supports authentication methods based
  on public- key technology
• Public key infrastructure will take longer time
  to be deployed
• Legacy authentication systems will continue to
  exist for a while
• And remote host configuration and security access
  control issues must be solved

5
WG Goals

• To define requirements and architecture
• as an informational RFC
• To define user authentication mechanism
• running IKE using legacy authentication
  mechanisms
• standard track
• To define remote host configuration mechanism
• standard track
• To define access control mechanism
• security policy configuration

6
Past Meetings

• 1st BOF
• 2nd BOF
• Washington, 1999.11
• 1st WG meeting
• 47th IETF, Adelaide, Australia, 2000.3
• 2nd WG meeting
• 48th IETF, Pittsburgh, USA, 2000.8

7
Drafts

• 2 WG drafts
• Some 5 drafts
• Requirements draft
• Authentication drafts
• Configuration draft

8

• Requirement Draft

9
Requirement draft

• Currently, 01 version (2000.7) 1
• 02, soon
• Understanding requirements in a number of
  differing remote scenarios
• Some shared and some unique requirements
• Requirement categories
• Endpoint Authentication
• Remote host configuration
• Security Policy configuration
• Accounting

10
Reference picture
Target network
Remote Access Client (IRAC)
Security Gateway (SGW/ IRAC)
Internet
11
Endpoint Authentication

• Refers to verification of the identities of the
  communication partners
• e.g., IRAC and IRAS
• Machine-level authentication
• User-level authentication
• Combined User/ Machine authentication
• Remote access authentication
• typically asymmetric
• good deal of variation in authentication
  requirements for differing scenarios

12
Remote Host Configuration

• Refers to network-related device configuration of
  the client system
• Parameters
• IP address, subnet mask, broadcast address, host
  name, domain name, servers, default routers, MTU,
  default TTL, etc.
• Virtual address
• virtual presence on the corporate network via an
  IPsec tunnel

13
Security Policy Configuration

• Refers to IPsec policy configuration of both the
  IRAC and IRAS
• For examples,
• block the internet access to IRAC from outside
  world
• For IRAS, particular users access could be
  controlled via policies based upon the particular
  address (or the address from a specific pool)

14
Accounting

• Refers to the generation and collection of
  connection status information
• Some accounting information
• connection start time
• connection end time
• incoming octets
• outgoing octets
• Implies the need for a connection keep-alive
  mechanism

15
Scenarios

• Telecommuters
• Corporate to remote extranet
• Extranet laptop to home corporate net
• Extranet desktop to home corporate net
• Remote dialup laptop (Road warrior) access
• Public system to corporate network

16
Telecommuters(Dialup/DSL/Cablemodem)

• Dialup/DSL/Cablemodem telecommuters using their
  own home systems to access corporate resources

Corporate network
Internet
IRAC
Modem
ISP
SGW
17
Corporate to Remote Extranet

• Extranet users using their corporate desktop
  systems to access the remote company network of a
  business partner

Corporate B
Corporate A
User
Internet
SGW/FW
SGW/FW
18
Extranet Laptop to Home Corporate Net

• Extranet users using their own laptop within
  another companys network to access their home
  corporate network

Corporate B
Corporate A
Corp-A laptop
Pop
Internet
SGW/FW
SGW/FW
FTP
19
Extranet Desktop to Home Corporate Net

• Extranet users using a business partners system
  (on that partners network) to access their home
  corporate network

Corporate B
Corporate A
Corp-A desktop
Pop
Internet
SGW/FW
SGW/FW
FTP
20
Remote Dialup Laptop (Road Warrior) Acces

• Road warriors using their own laptop systems to
  access corporate resources via an arbitrary ISP
  dialup connection
• Virtually indistinguishable from the telecommuter
  scenario
• Typically dialup is short-lived

21
Public System to Corporate Network

• Remote users using a borrowed system (e.g., an
  airport kiosk) to access corporate resources

22
Scenario Commonalities

• User authentication is required in almost all
  cases
• Machine authentication for IRAS is required in
  all scenarios
• Device configuration mechanism is required in
  most cases
• Dynamic IRAC policy configuration is useful in
  several scenarios
• Most Scenrios require accounting
• Machine authentication for IRAC is generally only
  useful when combined with user authentication.
  Combined user and machine authentication is
  useful in some scenarios

23

• Authentication Drafts

24
Authentication drafts

• Two proposals
• Pre-IKE Credential Provisioning Protocol
• PIC draft 2
• Client Certificate and Key Retrieval for IKE
• getcert draft 3

25
PIC draft

• One of approaches of integrating legacy
  authentication mechanisms into IKE
• WG draft
• Currently 01 version (2000.9)
• Switched from XAuth to EAP for legacy
  authentication
• Use simplified ISAKMP/ IKE
• Use EAP (Extensible Authentication Protocol)
• No modification to IKE

26
PIC Architecture
Authentication Server (AS)
Legacy Authentication Server (LAS)
Client/User
Optional Link
Security Gateway (SGW)
27
PIC Protocol

• Three main stages in PIC protocol (Btw Client and
  AS)
• establish one-way trust relationship. A secure
  channel from the client to the AS is created
• Legacy authentication is performed over this
  channel. Use EAP tunneled within ISKMP
• The AS sends the client a (typically short-term)
  credential which can be used in subsequent IKE
  exchanges
• The credential can be thought as
• a certificate,
• a private key generated or stored by the AS and
  accompanied by a corresponding certificate, or
• symmetric secret key

28
Getcert draft

• The architecture is similar to PICs
• integrate legacy authentication into IKE
• use the separated AS
• The differences is in the details
• use TLS and HTTP rather than EAP, ISAKMP/IKE
• Not yet WG draft
• Currently 00 version
• Client-side certificate generation option was
  selected by straw poll, among 4 proposals
• 9?? 01 version ??

29
Getcert draft (cont.)

• Client-side certificate generation
• The client sends its username
• The server responds
• The client generates a key pair and signs its
  public key
• The server returns the certificate

30

• Congiuration Draft

31
DHCP draft

• Virtual presence is useful 4
• using virtual IP address and then tunneling
• DHCP meets requirements of a host with IPSEC
  tunnel mode interface
• No modification to DHCP is required
• draft is stable

Target network
Remote host virtual presence
Externally visible host
Internet
SGW/ DHCP relay
Virtual host
DHCP server
32
Configuration Steps

• Establish IKE SA between IRAC and IRAS
• Establish DHCP SA between IRAC and IRAS
• Exchange DHCP messages between IRAC and DHCP
  server
• using IRAS as a DHCP relay
• Establish IPSEC SA and start to communicate

33
References

• 1 S. Kelley and S. Ramamoorthi, Requirements
  for IPSEC Remote Access Scenarios,
  draft-ietf-ipsra-reqmts-01.txt, Jul., 2000
• 2 Sheffer and Krawczyk, The PIC Pre-IKE
  Credential Provisioning Protocol,
  draft-ietf-ipsra-pic-01.txt, Sep., 2000
• 3 Bellovin and Moskowitz, Client Certificates
  and Key Retrieval for IKE, draft-bellovin-ipsra-ge
  tcert-00.txt, Feb., 2000
• 4 B. Patel, et. al., DHCP Configuration of
  IPSEC Tunnel Mode, draft-ietf-ipsec-shcp-06.txt,
  Jul., 2000
• 5 C. Rigney, et. al., Remote Authentication
  Dial In User Service (RADIUS), RFC2138