ipsec remote access requirements n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
IPsec Remote Access Requirements PowerPoint Presentation
Download Presentation
IPsec Remote Access Requirements

Loading in 2 Seconds...

play fullscreen
1 / 11

IPsec Remote Access Requirements - PowerPoint PPT Presentation


  • 148 Views
  • Uploaded on

IPsec Remote Access Requirements. Scott Kelly IPsec Remote Access Working Group 48th IETF. Document Change Overview. Deleted mobility requirements Added accounting requirements Modified endpoint/user/machine auth discussion

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

IPsec Remote Access Requirements


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
ipsec remote access requirements

IPsec Remote Access Requirements

Scott Kelly

IPsec Remote Access Working Group

48th IETF

document change overview
Document Change Overview
  • Deleted mobility requirements
  • Added accounting requirements
  • Modified endpoint/user/machine auth discussion
  • Deleted roaming/wireless users, and user-to-user connections from scenarios
document change overview continued
Document Change Overview, continued
  • Added discussion of threats and mitigation to telecommuter scenario discussion
  • Added statement about encouraging migration to stronger authentication systems to legacy compatibility section
  • Clarified language in Security Policy Configuration section (2.3)
mobility requirements deletion
Mobility Requirements Deletion
  • "mobility" somewhat ill-defined; could mean user enters through multiple access points, or that user address changes
  • seems obvious that in case of dynamic client address, new tunnel should be instantiated when address changes due to lease renewal failure, etc.
accounting requirements
Accounting Requirements
  • Basic definition: collection/reporting of connection status info
    • connection start/stop times
    • incoming/outgoing octets
    • others?
user machine authentication
User/Machine Authentication
  • Difficult distinction to make in many cases
  • In general, must assume private key is secured, but if this is assumed, why not assume encrypted private key authenticates user whose password decrypts it?
  • Requires assumptions regarding overall IRAC system security
user machine authentication continued
User/Machine Authentication, continued
  • Need to determine whether clearcut distinction exists
  • There do appear to be cases where independent assurance of both the user and system identity are required
  • Working group participants are invited to think about this and comment
deletion of scenarios
Deletion of Scenarios
  • Roaming users
    • no justification for treating these any differently than telecommuter
  • User-to-User
    • Since users are virtually on corporate net, it is not clear that additional access controls are necessary (or that if they are, it is up to ipsra to provide them)
modification of telecommuter scenario discussion
Modification of Telecommuter Scenario Discussion
  • Threats
    • joyriding/hijacking active connection
    • credential compromise and impersonation
    • passive monitoring (trojan horse, etc.)
migration to stronger authentication systems
Migration to Stronger Authentication Systems
  • added to "goals" statements:
    • should encourage migration from existing low-entropy password-based systems to more secure systems
  • Rationale:
    • this is consistent with charter
    • the point of this group is not to perpetuate weak mechanisms; rather, we want to strengthen them.
open issues
Open Issues
  • IRAC policy config: should IRAS control IRAC policy?
  • Machine/user auth: are these clearly distinguishable?
  • Mobility requirement: is there still some basis for this (single entry in load-balance or failover situations)?