Client Certificate and Key Retrieval for IKE

Bellovin, Steven Michael; Moskowitz, Robert G.

IKE was designed for use with certificates. In a remote access scenario, that implies that clients must possess their own certificates. We leverage off of work already done to fast-start certificate use with IPsec via the Simple Certificate Enrollment Protocol [SCEP]. We use only parts of SCEP over a client authenticated TLS/HTTP connection to a CA. By using TLS, the client can trust a CA root certificate it receives, without an out-of-band verification and the CA can perform automatic enrollment. We replace the out-of-band client identification process for a certificate enrollment with a legacy authentication, like RADIUS. Further, since the certificates issued here are short-lived, there is no need to support client-based revocation or rekeying. Also, there is typically no need for CRL support.



  • thumnail for draft-ietf-ipsra-getcert-00.txt.pdf draft-ietf-ipsra-getcert-00.txt.pdf application/pdf 21 KB Download File

More About This Work

Academic Units
Computer Science
Internet Engineering Task Force
Published Here
June 30, 2010