AAA and Network Security for Mobile Access: Radius, Diameter, EAP, PKI and IP Mobility by Mahsa Nakhjiri, Madjid Nakhjiri

9.3. Using Certificates in IKE

We did say at the beginning of this chapter that when we finish designing our PKI and certification procedures, we have still not completed the design and security and authentication services for our network and its clients. Use of certificates within security and authentication mechanisms must be designed properly.

One potentially huge market for PKI and certificates is IPsec-VPN vendors. In order to establish IPsec tunnels, most implementations rely on IKE for the establishment of a secure tunnel that allows IPsec negotiation and key generation to happen in a secure manner. We covered IKE in great detail in Chapter 4 and as we mentioned there, despite its powerful feature set, IKE does not exempt the designer from the task of having to deal with the initial authentication that is required between the two peers that need to establish the IPsec tunnel. We also mentioned the authentication alternatives that IKE provides, including the one based on pre-shared keys and the one based on public keys. The greatest benefit of a PKI is that it eliminates the need for pre-shared pair-wise keys between communicating peers. Hence it would be great if the two peers could use their certificates to each other in order to perform public-key based authentication without having to worry about establishing pre-shared secrets prior to IKE. This would be a great feature for VPN vendors. Showing foresight in this, the IPsec working group specified the content for many ...