Nortel 4134 用户指南
52
IPsec VPN fundamentals
more scalable solution than PreShared Key authentication. Each gateway
provides a digital signature of the negotiation to the other side. Verification
of the signature provides authentication of the peers.
provides a digital signature of the negotiation to the other side. Verification
of the signature provides authentication of the peers.
In order to perform signature based authentication, each security gateway
needs access to the public key of the peer. The public key information is
exchanged between the gateways by exchanging digital certificates.
needs access to the public key of the peer. The public key information is
exchanged between the gateways by exchanging digital certificates.
A Public Key Infrastructure (PKI) is required to verify the authenticity of the
peers. The PKI assumes that a Certificate Authority that is trusted by both
peers is available to create digital certificates.
peers. The PKI assumes that a Certificate Authority that is trusted by both
peers is available to create digital certificates.
A Certificate Authority (CA) issues digital certificates conforming to the
X.509 format. A digital certificate contains the credentials and public key
information of an entity that is endorsed by the CA using a digital signature.
X.509 format. A digital certificate contains the credentials and public key
information of an entity that is endorsed by the CA using a digital signature.
To validate the exchanged certificates, the two security gateways must have
a mutually trusted CA.
a mutually trusted CA.
Each gateway can confirm that the CA validates the identity of the other
member. To validate the certificate of the peer, each member checks the
certificate revocation list (CRL) issued by the CA. If the peer certificate is
not on the CRL, then it is assumed to be valid.
member. To validate the certificate of the peer, each member checks the
certificate revocation list (CRL) issued by the CA. If the peer certificate is
not on the CRL, then it is assumed to be valid.
The maximum number of CA certificates supported on the SR4134 is 10.
The maximum number of self certificates supported on the SR4134 is 10
The maximum number of self certificates supported on the SR4134 is 10
Internet X.509 PKI certificate and CRL profile
The SR4134 supports RFC2459, which describes the X.509 v3 certificate
format. The RFC also defines the X.509 v2 CRL format and extension set.
The SR4134 only supports the following CRL extensions:
format. The RFC also defines the X.509 v2 CRL format and extension set.
The SR4134 only supports the following CRL extensions:
•
Key Usage
•
Subject Alternative Name
•
CRL Distribution Points
Certificate validation
With PKI, the security gateways need to verify the validity of the digital
certificates exchanged during IKE negotiation. A certificate is revocable by
the CA for a variety of reasons, for example, at the request of a user if the
private key is compromised.
certificates exchanged during IKE negotiation. A certificate is revocable by
the CA for a variety of reasons, for example, at the request of a user if the
private key is compromised.
In order confirm the validity of the certificate, the CA periodically publishes
a certificate revocation list (CRL) which contains the list of serial numbers
of the revoked certificates.
a certificate revocation list (CRL) which contains the list of serial numbers
of the revoked certificates.
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600
01.02
Standard
10.0
3 August 2007
Copyright © 2007, Nortel Networks
.