90 likes | 113 Views
This document covers the requirements and configuration for IPsec remote access, including endpoint authentication, security policy configuration, and mobility issues. It also discusses the scenarios and common requirements for IRAC and IRAS.
E N D
IPsec Remote Access Requirements Scott Kelly IPsec Remote Access Working Group 47th IETF
Current Draft Terminology • IRAC - IPsec Remote Access Client • IRAS - IPsec Remote Access Server • SGW - Security GateWay • VIP - Virtual IP address
Requirements Classes • Endpoint Authentication • Remote Host Device Configuration • Security Policy Configuration • Mobility
Endpoint Authentication • Machine Authentication • User Authentication • Combination Machine/User Authentication • Legacy Compatibility
Security Policy Configuration • Remote Client (IRAC) • unrestricted vs restricted internet access while accessing corporate network • permit/deny access to other corporate hosts • Server (IRAS/SGW) • dynamic update of policies based on client identity vs. static address-based policies
Mobility Issues • Client • IP address may change during session due to DHCP lease expiration • Server • Not clear if there are issues here or not
Scenarios Overview • dialup/dsl/cablemodem telecommuters • extranet users calling home from another corporate net • road warriors using arbitrary ISP dialup account • roaming wireless users (?) • borrowers (airport kiosk) • local corp to extranet partner (?) • remote user to remote user (?)
Common Requirements • User-level authentication usually required for IRAC; user/machine auth sometimes useful • Machine authentication for always required for IRAS • Device configuration for IRAC almost always useful • Some sort of dynamic policy configuration for IRAC is required • Dynamic policy configuration for IRAS may be required