Fwd: Re: Son of IKE: A proposal for moving forward

[Stuart Jacobs <stu.jacobs@xxxxxxxxxxxx>]

> Paul,
>
> We can no longer consider the cabling within our COs as secure given that 
> we are mandated to allow non-Verizon personnel access to, and within, 
> these facilities.  Consequently we need end-to-end SAs between our network 
> elements with the SAs originating/terminating directly on the net 
> interfaces within the elements.  A VPN approach typically is deployed to 
> interconnect two trusted networks over an untrusted third network.  Given 
> that a very high percentage of attachs are initiated by insiders (as 
> documented over the last few years in the CSI surveys)  we cannot assume 
> any network is inherently trustable.  Does that clarify the situation?
>
> Stu
>
> At 6/13/02 09:13 AM, you wrote:
> > Stuart, how does the scenarios you describe *not* fit into the VPN 
> > scenarios listed in the requirements document? I don't see anything in 
> > your requirements that wouldn't be considered a pretty typical VPN.
> >
> > At 9:14 AM -0400 6/13/02, Stuart Jacobs wrote:
> > > Verizon is in the process of developing the security architecture for 
> > > it's next generation networks.  Given the magnitude of these networks 
> > > and FCC requirements for open access, we must have the ability to 
> > > universally establish strongly authenticated identities of communicating 
> > > network elements.  This authentication must be able to span many trust 
> > > domains, be continuous to avoid any chance of session hi-jacking and 
> > > scale to millions of nodes.  IPsec, coupled with PKI, is the only 
> > > technology that can even begin to meet our needs.
> > >
> > > We are relying on this WG to include in it's scope mechanisms that allow 
> > > two network elements, regardless of their functions within a network, to 
> > > be able to use IKE and ISAKMP, with PKI based X.509 certs, to establish 
> > > one or more SAs that these two elements can then use to continuously 
> > > authenticate, and optionally encrypt for confidentiality, UDP, TCP or 
> > > SCTP transport layer communication sessions.  This fundmental capability 
> > > is critical for our use of IP technology for the transport of SS7 
> > > traffic, VoIP application signalling, (G)MPLS control plane signalling 
> > > and OAM&P traffic.
> >
> > --Paul Hoffman, Director
> > --VPN Consortium
>
> ==========================
> Stuart Jacobs CISSP
> PMTS - Sr. Technologist
> Verizon Laboratories
> 40 Sylvan Road Waltham, MA 02451-1128     USA
> telephone: (781) 466-3076   fax: (781) 466-2838
> stu.jacobs@xxxxxxxxxxxx sjj0@xxxxxxxxxxxx  stu.jacobs@xxxxxxxxxxx
> ==========================

==========================
Stuart Jacobs CISSP
PMTS - Sr. Technologist
Verizon Laboratories
40 Sylvan Road Waltham, MA 02451-1128     USA
telephone: (781) 466-3076   fax: (781) 466-2838
stu.jacobs@xxxxxxxxxxxx sjj0@xxxxxxxxxxxx  stu.jacobs@xxxxxxxxxxx
==========================