Chapter 11. Public Key Infrastructure and IPsec VPNs


A Public Key Infrastructure (PKI) entails a system of cryptographic endpoints that use an infrastructure of trusted resources, such as Certificate Authorities (CAs) and Registration Authorities (RAs), to facilitate a cryptographic transaction in a trusted manner. In large enterprise-class IPSec VPN designs, the burden of key management can be overwhelming. When the number of cryptographic endpoints scales upwards, so does the need to for a centralized, scalable method of key management between the cryptographic endpoints, or in this case, between the IPSec VPN gateways. A PKI can be used in varying types of cryptographic solutions. However, in the context of IPSec VPN deployments, the PKI entails the following elements:

  • The cryptographic endpoints participating in the PKI are IPSec VPN gateways.

  • The resource trusted by the cryptographic endpoints of the PKI is the PKI Certificate Authority (and optionally, a system of Registration Authorities).

  • The secure transaction that needs to be facilitated in a trusted manner is the exchange of public keys between the cryptographic endpoints for authenticating and encrypting the IKE SA.

Using the elements listed in the bulleted list above, PKIs present a comprehensive and scalable design option for secure key management in large-scale IPSec VPN deployments. Cisco IPSec VPN technologies support PKIs using the RSA Signatures method of IKE authentication, which describes an asymmetric authentication and encryption scheme used in the negotiation and operation of Phase 1 SAs. In this chapter, we will discuss a brief history and overview of PKI, then proceed to discuss the advantages to deploying IPSec VPNs using the RSA Signature method of IKE authentication in a PKI architecture.




IPsec Virtual Private Network Fundamentals
IPSec Virtual Private Network Fundamentals
ISBN: 1587052075
EAN: 2147483647
Year: N/A
Pages: 113

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net