IKE-PKI white paper in CA, EM and NE

 

 
 
1.         MDM PKI Interface with SSM
In order to setup, query and remove the Ipsec/IKE and PKI on the local workstation, both MDM and SSM will manipulate the solaris IP security database. The interface between MDM and SSM is mainly on the Solaris Ipsec IKE and PKI config files and its daemon. The behaviours of MDM and SSM manipulation are compatible with Solaris standard in term of the file format and patterns used.
1.1      Provisioning Interface
1.1.1     ike.config
The /etc/inet/ike/config file, which is configuration file for IKE policy, contains rules for matching inbound IKE requests. It also contains rules for preparing outbound IKE requests.
The ike.config is the most important interface between MDM and SSM:
·         Either MDM or SSM could create, duplicated, append, removal, chmod etc.
·         MDM will create this file if it does not exist (at IKE preshared key), else, it will append/edit it.
·         SSM could create it for MDM at rsasig if it does not exit.
·         Shared the items definition and values
 
1.1.1.1      Interaction overview
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

ike.config items
definition
Impact SSM
Impact MDM
Global parameters shared by MDM and SSM
p1_nonce_len 
Nonce length of Phase1 negotiation
 Y
Y
########
## Global parameters
cert_root and cert_trust required for MDM/MSS IKE rsasig.
.
Y
Y
cert_root "CN=PKBRoot01, ST=North Carolina,
 C=US, L=Research Triangle Park, O=Security, OU=3X20"
cert_trust "CN=PKBRoot01, ST=North Carolina,
C=US, L=Research Triangle Park, O=Security, OU=3X20"
ignore_crls 
To ignore the CRL( Cert Revocation List)
ignore_crls for root CAs
 
Y
Y
#
## Phase 1 transform defaults
 
 
 
p1_lifetime_secs 28800 
IKE phase1 SAs lifetime
Y
Y
SSM appended entries ( for instance, default phase1 xform)
#
## Defaults that individual rules can override.
p1_xform
{ auth_method preshared oakley_group 1 auth_alg sha encr_alg 3des }
p2_pfs 0
 
Default Phase1 transform
 
Y
N
MDM appended IKE preshared rules
{
label INDEXID_1
Label used as the search string. for in.iked to looks up phase 1 policy rules
Y
Y
local_id_type ip
The type of local address.
 SS N**
(SSM could display it at M GUI)
local_addr 47.154.135.86
local Ip address
remote_addr 47.154.135.81
remote ip address
p2_pfs 2
p2_lifetime_secs 28800
oakley group and the phase2 SAs lifetime, used for P2 negotiation,
p1_xform { p1_lifetime_secs 86400 auth_method
preshared oakley_group 1 auth_alg sha1 encr_alg des}
}
The transform of phase1 with authenticated by preshared
 
MDM appended IKE rsasig rules
{
label INDEXID_2
Label used as the search string. for in.iked to looks up phase 1 policy rules
Y
Y
local_id_type dn
The local id type, “dn” means the DNX.509 distinguished name
N
 
Y
 
local_addr 47.154.135.86
local IP address
local_id "CN=SSM0 47.154.135.86, ST=North Carolina
, C=US, L=Research Triangle Park, O=Security, OU=3X20"
The DNX.509 distinguished name 
Y
remote_addr 47.154.136.69
IP address of the remote entry with IPv4 format
 
N
 
remote_id ""
Use remote_addr for access control. when null means “take any,”
p2_pfs 1
oakley group used for P2 negotiation,
p1_xform { p1_lifetime_secs 86400 auth_method
 rsa_sig oakley_group 1 auth_alg sha1 encr_alg des}
}
P1’s transform information ;
 

 
1.1.1.2      Interaction details
 

ike.config items
definition
Interaction details/Issues
Solution
Global parameters shared by MDM and SSM
p1_nonce_len 20   
Nonce length of Phase1 negotiation
 
 
MSS requires 20 for MDM-MSS IKE rsasig relationship.
SSM sets it to 40 as SPFS required.
MDM forces it to 20
SSM must not overwrite it if it’s not null.
cert_root "CN=PKBRoot01, ST=North Carolina,
 C=US, L=Research Triangle Park, O=Security, OU=3X20"
cert_trust "CN=PKBRoot01, ST=North Carolina,
C=US, L=Research Triangle Park, O=Security, OU=3X20"
cert_root and cert_trust required for MDM/MSS IKE rsasig.
.
Appended by SSM after the certs generated/installed for MDM.
Removed by SSM after the MDM certs were removed
MDM does not touch it
ignore_crls 
To ignore the CRL( Cert Revocation List)
ignore_crls for root CAs (as given in cert_root)
 
SSM appended it.
If not exist, MDM will append it.
 
p1_lifetime_secs 28800 
IKE phase1 SAs lifetime, it’s global and could be override by values in the rule entry
 
SSM sets it to 28800, MDM requires 86400 by default.
 
If does not exist, MDM will append that item with 86400.
No matter the value, MDM sets p1_lifetime to 86400 per IKE rule locally.
 
SSM appended entries ( for instance, default phase1 xform)
p1_xform
{ auth_method preshared oakley_group 1 auth_alg sha encr_alg 3des }
p2_pfs 0
#
## Defaults that individual rules can override.
 
Added by SSM . It is from SSPFS installation
No action required for MDM
 
MDM appended IKE preshared rules
{
label INDEXID_1
Label used as the search string. for in.iked to looks up phase 1 policy rules
SSM required INDEXID_x, where x is the integer identical among this file.
MDM follows SSM’s rule.
local_id_type ip
The type of local address.
No action required for SSM
 
 
MDM always set to “ip” if IKE preshared
local_addr 47.154.135.86
local Ip address
These values are set by MDM ike scripts, either from the operator input or the system derived.
 
remote_addr 47.154.135.81
remote ip address
p2_pfs 2
p2_lifetime_secs 28800
oakley group and the phase2 SAs lifetime, used for P2 negotiation,
p1_xform { p1_lifetime_secs 86400 auth_method
preshared oakley_group 1 auth_alg sha1 encr_alg des}
}
The transform of phase1 with authenticated by preshared
 
{
The IKE rsasig rule added by MDM IKE provisioning scripts
 
These IKE rules appended would be displayed by SSM GUI.
Added by MDM
Removed by MDM when deletion
MDM appended IKE rsasig rules
label INDEXID_2
See above for label
 
 
local_id_type dn
The local id type, “dn” means the DNX.509 distinguished name
No action required for SSM
SSM should not touch it.
MDM always set it to  “dn” if at rsasig.
local_addr 47.154.135.86
local IP address
 
 
local_id "CN=SSM0 47.154.135.86, ST=North Carolina
, C=US, L=Research Triangle Park, O=Security, OU=3X20"
The DNX.509 distinguished name 
SSM must modify it when MDM certs were replaced/revoked.
 
 
MDM sets its value firstly by retrieving it from the local workstation
Removed by MDM when delete IKE rules
 
 
remote_addr 47.154.136.69
IP address of the remote entry with IPv4 format
No action required for SSM.
SSM should not touch it.
Set by MDM
remote_id ""
Use remote_addr for access control. when null means “take any”
No action required for SSM
SSM should not touch it.
Set by MDM
p2_pfs 1
oakley group used for P2 negotiation
No action required for SSM
SSM should not touch it.
 
this value is set by MDM ike scripts( the operator)
 
p1_xform { p1_lifetime_secs 86400 auth_method
 rsa_sig oakley_group 1 auth_alg sha1 encr_alg des}
}
P1’s transform information
 
 
No action required for SSM
SSM should not modify them.
 
 
 
All these name-value pairs are set by MDM IKE scripts. MDM sets p1_lifetime locally here at rule entry.

 
 
1.1.1.3      Scenario 1: Create ike.config if does not exist
The in.iked refuses to start if this file is missed.
MDM ike scripts will create this file at first with permission 755 if it does not exist.
SSM will create this file when putting data to it( such as generate/install certs)
 
1.1.1.4      Scenario 2: IKE PSK only
Here is the sample file after MDM Ike phase1 provisioned with preshared:
p1_lifetime_secs 86400
p1_nonce_len 20 
########
{
label
INDEXID_1
local_id_type ip
local_addr 47.154.135.86
remote_addr 47.154.136.69
p2_pfs 2 p2_lifetime_secs 28800
p1_xform { auth_method preshared oakley_group 2 auth_alg md5 encr_alg 3des}
}
1.1.1.5      Scenario 3 : certs installed by SSM when IKE PSK already provisioned
If the ike phase1 preshared key provisioned already, using the SSM GUI to generate and install certs for MDM, here is the ike.config should look like:
p1_nonce_len 20
## Global parameters 
cert_root "CN=PKBRoot0000, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
cert_trust "CN=PKBRoot0000, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
ignore_crls
#
## Phase 1 tranform defaults
p1_lifetime_secs 28800  
#
## Defaults that individual rules can override.
p1_xform
{ auth_method preshared oakley_group 1 auth_alg sha encr_alg 3des }
p2_pfs 0

--->The following is used by MDM:
#
{
label INDEXID_1
local_id_type ip
local_addr 47.154.135.86
remote_addr 47.154.136.69
p2_pfs 2 p2_lifetime_secs 28800
p1_xform { p1_lifetime_secs 86400 auth_method preshared oakley_group 2 auth_alg md5 encr_alg 3des}
}
~
 
1.1.1.6      Scenario 4: IKE rsasig provisioned from none security
 Here is the example if the MDM IKE rsasig provisioned from none security
p1_nonce_len 20
## Global parameters
cert_root "CN=PKBRoot0000, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
cert_trust "CN=PKBRoot0000, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
ignore_crls
#
## Phase 1 tranform defaults
p1_lifetime_secs 28800
#
## Defaults that individual rules can override.
p1_xform
{ auth_method preshared oakley_group 1 auth_alg sha encr_alg 3des }
p2_pfs 0
#
{
label INDEXID_1
local_id_type dn
local_addr 47.154.135.85
local_id "CN=SSM0 47.154.135.85, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
remote_addr 47.154.136.135
remote_id ""
p2_pfs 2 p2_lifetime_secs 28800
p1_xform { p1_lifetime_secs 86400 auth_method rsa_sig oakley_group 2 auth_alg sha1 encr_alg des}
}
1.1.1.7      Scenario 5: IKE transition from PSK to rsasig
The config file, ike.config used the same as the IKE rsasig provisioned from none security
 
1.1.1.8      Scenario 6: IKE rsasig with IKE PSK co-existence
IKE PSK and IKE rsasig together after MDM ike phase1 provisioned, Here the IKE rsasig and preshared rule refers to the different remote entries
p1_nonce_len 20
########
## Global parameters
cert_root "CN=PKBRoot01, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
cert_trust "CN=PKBRoot01, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
ignore_crls
#
## Phase 1 tranform defaults
p1_lifetime_secs 28800
#
## Defaults that individual rules can override.
p1_xform
{ auth_method preshared oakley_group 1 auth_alg sha encr_alg 3des }
p2_pfs 0
#
{
label  INDEXID_1

local_id_type ip
local_addr 47.154.135.86
remote_addr 47.154.135.81
p2_pfs 2 p2_lifetime_secs 28800
p1_xform { p1_lifetime_secs 86400 auth_method preshared oakley_group 1 auth_alg sha1 encr_alg des}
}
{
label INDEXID_2
local_id_type dn
local_addr 47.154.135.86
local_id "CN=SSM0 47.154.135.86, ST=North Carolina, C=US, L=Research Triangle Park, O=Security, OU=3X20"
remote_addr 47.154.136.69
remote_id ""
p2_pfs 1
p1_xform { p1_lifetime_secs 86400 auth_method rsa_sig oakley_group 1 auth_alg sha1 encr_alg des}
}
~
 
1.1.2     Public keys used by MDM
Public keys used by MDM are stored at /etc/inet/ike/publickeys
The /etc/inet/ike/publickeys directory contains the public part of a public-private key pair and its certificate in files, or “slots”, which is protected at 0755(not changeable other than root).  The “ikecert certdb” command to populate the directory.
 
MDM ike_add_phase1 (at rsasig mode) will check the existence of the public keys by /usr/sbin/ikecert certdb –l before it’s going further on the config of IKE phase 1 rules.
This dir is filled by SSM when generation certs for MDM.
These files should get updated by SSM if the certs were replaced /deleted.
 
1.1.3     Private keys used by MDM
MDM’s private keys are stored at /etc/inet/secret/ike.privatekeys.
The ike.privatekeys directory holds private key files that are part of a public-private key pair, keying material for ISAKMP SAs. The directory is protected at 0700. The private key in this database must have a public key counterpart in the publickeys database.The ikecert certlocal command populates this directory. Private keys are not effective until their public key counterparts, self-signed certificates or CAs, are installed in the /etc/inet/ike/publickeys directory.
 
MDM application does not populate it explicitly, it relies on the SSM at the succession PKI framework (with CM) to own it(create/remove and permission).
This dir is filled by SSM when generation certs for MDM.
These files should get updated by SSM if the certs replaced/deleted.
1.1.4     in.iked
in.iked is the Solaris ike daemon shared by MDM, SSM so far.
In order to get the privilege to manipulate the IKE database, when provisioning IKE between MDM and MSS such as adding ike phase1 and removal of them. MDM would restart the in.iked with privilege 2if it’s not running or running without proper right.
1.1.4.1      To get the privilege:
"/usr/sbin/ikeadm get priv",
The privilege level should be 2(can access keying materials), if not, MDM will kill and start it again.
 
1.1.4.2      To kill it:
/usr/bin/pkill in.iked
1.1.4.3      To start it:
IKE daemon is started with privilege 2 as the following:
/usr/lib/inet/in.iked -p 2
 
1.1.5     ipsec config file
The ipsecconf file, located at /etc/inet/ipsecinit.conf, is shareable between MDM and SSM.
At MDM: Used for manual key SAs config (mdm_pki_initial and ipsec***) and IKE phase2 policies
At SSM: Used for config IKE phase 2 policies
SSM is enhanced to support the 2 patterns of ipsec policy entry: pattern1 and pattern2, so the Ipsec policies, provisioned by MDM, will be displayed correctly at SSM GUI.
These two ipsec policy entry: pattern1 and pattern as:

 

         pattern_name_value_pair1 ::=

 

             saddr <address>/<prefix> |

 

             src <address>/<prefix> |

 

             srcaddr <address>/<prefix> |

 

             smask <mask> |

 

             sport <port> |

 

             daddr <address>/<prefix> |

 

             dst <address>/<prefix> |

 

             dstaddr <address>/<prefix> |

 

             dmask <mask> |

 

             dport <port> |

 

             ulp <protocol> |

 

             proto <protocol>

 

 

 

          pattern_name_value_pair2 ::=

 

             raddr <address>/<prefix> |

 

             remote <address>/<prefix> |

 

             rport <port> |

 

             laddr <address>/<prefix> |

 

             local <address>/<prefix> |

 

             lport <port> |

 

             ulp <protocol> |
 
1.1.6     ipseckeys
Ipsec Keys, one of the config file for manual Ipsec, located at /etc/inet/secret/.
SSM does not make use of it since it does not support manual key Ipsec. MDM manipulates it as the following MDM scripts:
 
PKI involved (used for protection TCP829 for CMP messages)
·         mdm_pki_initial_script
·         pki_decommissioning_script
 
The example of the /etc/inet/secret/ipseckeys after the mdm_pki_initial looks like:
=====example Content of /etc/inet/secret/ipseckeys=====
add esp spi 691 proto 6 src 47.154.135.141 sport 829 dst 47.154.136.69 encralg aes encrkey d70c26a909cb52e41432e42ce1eea9a9 authalg sha1 authkey 66ea64653dea86a
5d00f90ce14b3e188991360d7
add esp spi 690 proto 6 dst 47.154.135.141 dport 829 src 47.154.136.69 encralg aes encrkey d70c26a909cb52e41432e42ce1eea9a9 authalg sha1 authkey 66ea64653dea86a
5d00f90ce14b3e188991360d7
#
#ident  "@(#)ipseckeys.sample   1.1     01/09/28 SMI"
#
# Copyright (c) 2001 by Sun Microsystems, Inc.
# All rights reserved.
#
 
# ipseckeys - This file takes the file format documented in ipseckey(1m).
#             Note that naming services might not be available when this file
#             loads, just like ipsecinit.conf.
#
# This file should be copied into /etc/inet/secret/ipseckeys to load the
# IPsec Security Association Database (SADB).  A side-effect of this is that
# IPsec kernel modules will load.
=====End of example Content /etc/inet/secret/ipseckeys=====
 
 
1.2      Messages Follow
There are no messages flowing within MDM and SSM tool. They both invoked PKBClient to communication with CM.
2.         MDM PKI Interface with MSS
2.1      Supported IKE parameters and their scope
 
2.1.1     IKE attribute supported
 
2.1.1.1      For phase1 rule:
Following is the attributes and their values supported by ike phase1:
 

Parameters
Values
-p1_pfs
<1|2>
-p1_lifetime
<1800-172800> seconds
-enc_alg
<des|3des>
-auth_alg
<md5|sha1>
-p2_pfs
<0|1|2>
-p2_lifetime
<1800-172800> seconds

 
 
2.1.1.2      For phase2 rule:
Following is the attributes and their values supported by ike phase2:
 

Parameters
Values
-proto
<udp|tcp|icmp|any>
-srcPort
-dstPort 
Port must be one of: any, ftpdata, ftp, telnet, ntp, snmp, ike, pki, rip, radius, fmip, 1-19, 22-24, 124-160, 162-499, 501-519, 521-828, 830-1811, 1813-5927, 5929-65535
-enc_alg
<des|3des|aes|none>
-auth_alg
<md5|sha1>
-p2_pfs
<0|1|2>
-p2_lifetime
<1800-172800> seconds
-antiReplay
<on|off>

 
 
2.1.1.3      Attributes Combination
Here is their combination supported from MSS design doc [CD5054 MD-2004.0387]:
For Phase 1, authentication has to be there as per the RFC. The MSS IKE supports the following combinations for encryption-authentication for the Phase 1 transforms:
    • DES-SHA1
    • DES-MD5
    • 3DES-SHA1
    • 3DES-MD5
For Phase 2 proposals, MSS IKE supports the following combinations for encryption-authentication:
    • none-SHA1
    • none-MD5
    • DES-SHA1
    • DES-MD5
    • 3DES-SHA1
    • 3DES-MD5
    • AES-SHA1 1
The above can be supported with Diffie-Hellman group 1 or group 2.
 
2.1.2     Certs related parameters
The MDM certs should generate with the following parameters:
Key-Type: rsa-sha1 or rsa-md5
Key-Size:  2048 or 1024
 
2.1.3     Default values and their scope used by MDM
 
·         Value scope for Phase1 and phase2 lifetime:
MIN_PI_LIFETIME = 1800
MAX_PI_LIFETIME = 172800
MIN_P2_LIFETIME = 1800
MAX_P2_LIFETIME = 172800
 
·         The default values
   DEFAULT_P2_PFS = "2";
   DEFAULT_P1_LIFETIME = "86400";
   DEFAULT_P2_LIFETIME = "28800";
·         The constant values
P1_NONCE_LENGTH 20
 
2.1.4     IKE commissioning parameters
For phase1: enc_alg = 3des, auth_alg = sha1, DHG_Group =2
For phase2:  enc_alg = aes, auth_alg= md5 (for ftpdata) or sha1(others), DHG_group=2
 
2.2      Provisioning Interface
The provisioned interface with MSS is via CAS of the MSS, which will manipulate the components and their attributes, please refer [3] for more. Here is the description on the command used for MDM IKE provisioning scripts:
2.2.1     Procedure to add initial PKI relationship
 
Before the IKE_Add_Phase1 is executed, the operator should ensure the ipsec feature installed on MSS, that is:
 
Here lists the steps to add PKI at MSS part below:
It takes the example as MSS OAM port with IPaddress <RemoteAddress>, and MDM1 with IPaddress <MDMAddress1>, MDM2 with IPaddress <MDMAddress2> for redundancy.
 
These steps should be put in pki_initial_script.
 
 add -s vr/0 ip pmm ip <RemoteAddress>
 set vr/0 ip pmm ca/1 ip <MDMAddress1>
 
 add -s vr/0 ip pmm ca/2 ip <MDMAddress2>
 
# for ssh from the two mdms
 add -s vr/0 ip spd/1 pol/10 dport 22, action bypass, proto tcp, saddr <MDMAddress1>, daddr <RemoteAddress>
 add -s vr/0 ip spd/1 pol/20 sport 22, action bypass, dir out, proto tcp, daddr <MDMAddress1>, saddr        <RemoteAddress>
 add -s vr/0 ip spd/1 pol/30 dport 22, action bypass, proto tcp, saddr <MDMAddress2>, daddr <RemoteAddress>
 add -s vr/0 ip spd/1 pol/40 sport 22, action bypass, dir out, proto tcp, daddr <MDMAddress1>, saddr <RemoteAddress>
 
# for pki messaging from the two mdms
 add -s vr/0 ip spd/1 pol/100 proto tcp, sport pki, saddr <MDMAddress1>, daddr <RemoteAddress>
 add -s vr/0 ip spd/1 pol/101 proto tcp, dport pki, daddr <MDMAddress1>, saddr <RemoteAddress>
 add -s vr/0 ip spd/1 pol/102 proto tcp, sport pki, saddr <MDMAddress2>, daddr <RemoteAddress>
 add -s vr/0 ip spd/1 pol/103 proto tcp, dport pki, daddr <MDMAddress2>, saddr <RemoteAddress>
 
# added the ipsec SAs for the two em_pmm mdms
 
 a -s vr/0 ip spd/1 pol/100 sa/<RemoteAddress>,esp,700
 a -s vr/0 ip spd/1 pol/101 sa/<MDMAddress1>,esp,701
 a -s vr/0 ip spd/1 pol/102 sa/<RemoteAddress>,esp,702
 a -s vr/0 ip spd/1 pol/103 sa/<MDMAddress2>,esp,703
 set vr/0 ip spd/1 pol/100 sa/<RemoteAddress>,esp,700 manespsa encAlg aes, encKey <key>, authAlg sha1, authKey <key>
 set vr/0 ip spd/1 pol/101 sa/<MDMAddress1>,esp,701 manespsa encAlg aes, encKey <key>, authAlg sha1, authKey <key>
 set vr/0 ip spd/1 pol/102 sa/<RemoteAddress>,esp,702 manespsa encAlg aes, encKey <key>, authAlg sha1, authKey <key>
 set vr/0 ip spd/1 pol/103 sa/<MDMAddress2>,esp,703 manespsa encAlg aes, encKey <key>, authAlg sha1, authKey <key>
 
 
2.2.2     Add ike with rsasig
 
These steps should be handled by IKE_Add_Phase1 and IKE_MSS_Commissioning 
The operator would provide the <RemoteAddress> and the <authMethod> (RSA_SIG) in the Commandline.
 
# Add IKE bypass policies
 add -s vr/0 ip spd/1 pol/50 proto udp, dport ike, action bypass, saddr <MDMAddress1>, daddr <RemoteAddress>
 add -s vr/0 ip spd/1 pol/60 proto udp, sport ike, action bypass, daddr <MDMAddress1>, saddr        <RemoteAddress>, dir out
 add -s vr/0 ip spd/1 pol/70 proto udp, dport ike, action bypass, saddr <MDMAddress2>, daddr <RemoteAddress>
 add -s vr/0 ip spd/1 pol/80 proto udp, sport ike, action bypass, daddr <MDMAddress2>, saddr <RemoteAddress>, dir out
 
# Add IKE with the ip address of the OAM port on mss
 add -s vr/0 ip spd/1 ike srcIpAddress <RemoteAddress>
 
# add   pkiClient, also link the pki to pmm
add -s vr/0 ip spd/1 ike pki,linkToPmm Vr/0 Ip Pmm
# link ike policy to pkiClient and set the destination ip address of the Ike policy
 set Vr/0 Ip Spd/1 Ike Policy/1 linkToPkiClient vr/0 ip spd/1 ike pki, dest <MDMAddress1>
 
# refer the Policy to ike Proposal with rsaSig
 set vr/0 ip spd/1 ike pol/1 pfs on
 set Vr/0 Ip Spd/1 Ike Policy/1 ikeProposal Vr/0 Ip Spd/1 ike Proposal/1
(The one default proposal is automatically added under ike)
 set vr/0 ip spd/1 ike prop/1 trans/1 authMethod rsaSig
(The one default transform is also added automatically)
 
2.2.3     IKE Phase2 provisioning
IKE phase2 provisioned as normal, IKE_add_phase2 would be invoked to do that: e.g. below is for any-any ipsec (phase 2)
 
 a -s vr/0 ip spd/1 pol/200 action apply, dir inbound, ikePolicy Vr/0 Ip Spd/1 Ike Policy/1, srcIpAddress <MDMAddress1>, dstIpAddress <RemoteAddress>
 a -s vr/0 ip spd/1 pol/201 action apply, dir outbound, ikePolicy Vr/0 Ip Spd/1 Ike Policy/1, srcIpAddress <RemoteAddress>, dstIpAddress <MDMAddress1>
 a -s vr/0 ip spd/1 prop/1 ipSecPolicyList vr/0 ip spd/1 pol/200 vr/0 ip spd/1 pol/201
 s Vr/0 Ip Spd/1 Proposal/1 Transform/1 diffieHellmanGroup gp1, antiReplay on
 
2.3      Messages Format and Walk through
The message Interface residents within MDM EM_PMM, its south-bound named MSS PMM, and the north bound is CM.
The messages that are supported between EM PMM and MSS PMM are the following:
·         Certification Request
·         Certification Response
·         Key Recovery Request
·         Key Recovery Response
·         Error Message
·         Confirmation
·         Certificate Announcement
Please refer NM0542 Design Specification [5]  for more of the CMP messages definition.
2.4      IKE stack interactive between Solaris and MSS
MSS communicate with Solaris IKE where MDM residents directly, MDM does not change the behaviour, however, since the limitation of the Solaris IKE implementation, there are two interactive issues found and addressed:
2.4.1     IKE SA flush
During the IKE negotiation, the remote entity will reset their SAs and yet the local Solaris maintains the existing SAs until they have expired). When the connection with MSS is lost, the local Phase2 SAs should be flushed as well as the phase1 SA.
 
As a result of that, SFM is enhanced to monitor the connections using ping against with all remote IKE entries,  SFM identifies the remote entries through IKE phase1 SAs or phase2 SAs, then ping them one by one. If un-pingable, the local SAs will be flushed via ike_sa_refresh. The traffic will trigger the re-negotiation of SAs automatically when needed.
 
It applies to IKE both rsasig and preshared.
 
2.4.2     in.iked restarted
The solaris in.iked still refers to the old certs information when the device certs got replaced either from CM GUI or MSS. That will cause the authentication failure for IKE phase1 negotiation, as the result of that, the datapath will be down after the phase2 SAs expiration.
The solution is to restart in.iked at MDM each time the device certs got replaced. (CM/SSM has restarted the in.iked when revoked the MDM certs).
1.     MSS sends CMP error with 123321 error code to indicate the MSS certs replacement occurred, thus the ike daemon at MDM is required to be restarted.
2.     MDM receives the CMP error message then restarts the in.iked
3.     At the redundant MDM, since there is no CMP error message arrived, the SFM is enhanced to take this action (restart in.iked) when the remote is unreachable.
 
 
3.         MDM PKI Interface with CM
When talking about the PKI interface with CM, MDM acts as the proxy CA to MSS,
3.1      Provisioning Interface
None
3.2      Application Programming Interface
See details for pkclient.jar within path com.nortel.sspfssec.pkclient, which is the distribution part of the CM.
 
See Table 20, Table 21 at CM DSUM [ 6] page 120 and Page 121.
 
3.3      Messages Follow
EM_PMM will communication with CM via it’s distribution part: PKBClient, Please refer NM0542 Design Specification [5]  for more of the CMP messages definition.
 
4.         MDM PKI Interface with Solaris
4.1      Provisioning Interface
The provisioning interface, is for the config files of Solaris IP security, see above on MDM PKI interface with SSM.
 
4.2      Application Programming Interface
4.2.1     ikeadm
The ikeadm utility retrieves information from and manipulates the configuration of the IKE    protocol daemon, which is the interface for IKE polices database as well.
Here is the command used by ike provisioned scripts and the argues (please see Solaris man page for details):
/usr/sbin/ikeadm get priv
 
/usr/sbin/ikeadm dump rule
/usr/sbin/ikeadm get rule <id>
/usr/sbin/ikeadm del rule <id>
/usr/sbin/ikeadm write rule /etc/inet/ike/config
 
/usr/sbin/ikeadm read preshared /etc/inet/secret/ike.preshared
/usr/sbin/ikeadm write preshared /etc/inet/secret/ike.preshared
/usr/sbin/ikeadm del preshared <srcAddr> <dstAddr>
/usr/sbin/ikeadm get preshared <srcAddr> <dstAddr>
 
/usr/sbin/ikeadm get p1 <srcAddr> <dstAddr>
/usr/sbin/ikeadm del p1 <srcAddr> <dstAddr>
 
/usr/sbin/ikeadm get stats <srcAddr> <dstAddr>
 
4.2.2     ikecert certdb
To get the local DNX509 cert information:
“/usr/sbin/ikecert certdb –l -v“, then get the subject-name from the “CA: FALSE” flagged entry.
4.2.3     ipsecconf
Ipsecconf is used to config Solaris system wide Ipsec policies. MDM uses it with the following way:
/usr/sbin/ipsecconf
/usr/sbin/ipsecconf -l -n
/usr/sbin/ipsecconf -f
/usr/sbin/ipsecconf -a /etc/inet/ipsecinit.conf
/usr/sbin/ipsecconf -d <indexId>
 
4.2.4     ipseckey
Ipseckey is used to manipulate the Ipsec SA database. MDM uses it as:
/usr/sbin/ipseckey -f /etc/inet/secret/ipseckeys
/usr/sbin/ipseckey -s /etc/inet/secret/ipseckeys
 
/usr/sbin/ipseckey get esp spi <spi> dst <dstAddr>
/usr/sbin/ipseckey delete esp spi <spi> dst <dstAddr>
/usr/sbin/ipseckey dump
 
 
4.3      Messages Follow

MDM does not have IKE messages interactions with local solaris

本文出自 “天马行空” 博客,转载请与作者联系!

你可能感兴趣的:(certificate,PKI,Passport,IKE,PMM)