Re: Son of IKE: A proposal for moving forward

[Paul Hoffman / VPNC <paul.hoffman@xxxxxxxx>]

Stuart, how does the scenarios you describe *not* fit into the VPN 
scenarios listed in the requirements document? I don't see anything 
in your requirements that wouldn't be considered a pretty typical VPN.

At 9:14 AM -0400 6/13/02, Stuart Jacobs wrote:
> Verizon is in the process of developing the security architecture 
> for it's next generation networks.  Given the magnitude of these 
> networks and FCC requirements for open access, we must have the 
> ability to universally establish strongly authenticated identities 
> of communicating network elements.  This authentication must be able 
> to span many trust domains, be continuous to avoid any chance of 
> session hi-jacking and scale to millions of nodes.  IPsec, coupled 
> with PKI, is the only technology that can even begin to meet our 
> needs.
>
> We are relying on this WG to include in it's scope mechanisms that 
> allow two network elements, regardless of their functions within a 
> network, to be able to use IKE and ISAKMP, with PKI based X.509 
> certs, to establish one or more SAs that these two elements can then 
> use to continuously authenticate, and optionally encrypt for 
> confidentiality, UDP, TCP or SCTP transport layer communication 
> sessions.  This fundmental capability is critical for our use of IP 
> technology for the transport of SS7 traffic, VoIP application 
> signalling, (G)MPLS control plane signalling and OAM&P traffic.

--Paul Hoffman, Director
--VPN Consortium