Skip to main content

4.4.3.2. IKE Peer Authentication Data

Once an entry is located based on an ordered search of the PAD based on ID field matching, it is necessary to verify the asserted identity, i.e., to authenticate the asserted ID. For each PAD entry, there is an indication of the type of authentication to be performed.

Required Authentication Data Types

This document requires support for two required authentication data types:

  • X.509 certificate
  • Pre-shared secret

X.509 Certificate Authentication

For authentication based on an X.509 certificate, the PAD entry contains a trust anchor via which the end entity (EE) certificate for the peer must be verifiable, either directly or via a certificate path. See RFC 3280 for the definition of a trust anchor.

An entry used with certificate-based authentication MAY include additional data to facilitate certificate revocation status, e.g.:

  • A list of appropriate OCSP responders or CRL repositories
  • Associated authentication data

Pre-Shared Secret Authentication

For authentication based on a pre-shared secret, the PAD contains the pre-shared secret to be used by IKE.

IKE ID and Certificate Field Matching

This document does not require that the IKE ID asserted by a peer be syntactically related to a specific field in an end entity certificate that is employed to authenticate the identity of that peer. However, it often will be appropriate to impose such a requirement, e.g., when a single entry represents a set of peers each of whom may have a distinct SPD entry.

Implementation Requirement: Thus, implementations MUST provide a means for an administrator to require a match between an asserted IKE ID and the subject name or subject alt name in a certificate.

  • The former is applicable to IKE IDs expressed as distinguished names
  • The latter is appropriate for DNS names, RFC 822 e-mail addresses, and IP addresses
  • Since KEY ID is intended for identifying a peer authenticated via a pre-shared secret, there is no requirement to match this ID type to a certificate field

References

See IKEv1 [HarCar98] and IKEv2 [Kau05] for details of how IKE performs peer authentication using certificates or pre-shared secrets.

This document does not mandate support for any other authentication methods, although such methods MAY be employed.

Last updated on