1 / 9

IPsec Remote Access Requirements

This document covers the requirements and configuration for IPsec remote access, including endpoint authentication, security policy configuration, and mobility issues. It also discusses the scenarios and common requirements for IRAC and IRAS.

crotty
Download Presentation

IPsec Remote Access Requirements

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPsec Remote Access Requirements Scott Kelly IPsec Remote Access Working Group 47th IETF

  2. Current Draft Terminology • IRAC - IPsec Remote Access Client • IRAS - IPsec Remote Access Server • SGW - Security GateWay • VIP - Virtual IP address

  3. Requirements Classes • Endpoint Authentication • Remote Host Device Configuration • Security Policy Configuration • Mobility

  4. Endpoint Authentication • Machine Authentication • User Authentication • Combination Machine/User Authentication • Legacy Compatibility

  5. Remote Host Device Configuration

  6. Security Policy Configuration • Remote Client (IRAC) • unrestricted vs restricted internet access while accessing corporate network • permit/deny access to other corporate hosts • Server (IRAS/SGW) • dynamic update of policies based on client identity vs. static address-based policies

  7. Mobility Issues • Client • IP address may change during session due to DHCP lease expiration • Server • Not clear if there are issues here or not

  8. Scenarios Overview • dialup/dsl/cablemodem telecommuters • extranet users calling home from another corporate net • road warriors using arbitrary ISP dialup account • roaming wireless users (?) • borrowers (airport kiosk) • local corp to extranet partner (?) • remote user to remote user (?)

  9. Common Requirements • User-level authentication usually required for IRAC; user/machine auth sometimes useful • Machine authentication for always required for IRAS • Device configuration for IRAC almost always useful • Some sort of dynamic policy configuration for IRAC is required • Dynamic policy configuration for IRAS may be required

More Related