scope:

The present document specifies a protocol implementation profile to enable secure communication between IPsec-protected network endpoints while enabling network operations. The Enterprise Network Security profile depends on two protocols in the IPsec family of protocols. First, Internet Key Exchange Protocol Version 2 (IKEv2) [1] is used to establish Security Associations (SAs). In this profile, when certificates are used to provide authentication in IKEv2, those certificates include an extension to provide notice that this profile is being used. Second, the IP Encapsulating Security Payload (ESP) [i.2] is used to encrypt packets.

This profile describes two deployment scenarios. In the first one, one of the IPsec peers is inside the enterprise and the other one is outside the enterprise. In the other scenario, both IPsec peers are inside the enterprise. This profile describes the Diffie-Hellman key exchange, and it specifies the certificate extension that provides visibility information to indicate that the ENS profile is being used.

The actions the IPsec peers take upon receiving the visibility information in the certificate extension and structure of the policy included in the visibility information are not normatively defined; however, capabilities for an optional "Enterprise Network Security aware IPsec peer" are defined. The means by which the IPsec endpoints obtain the longer-lived Diffie-Hellman public/private key pairs is specified, and some examples are provided.

A variant of the ENS profile is also provided to enable visibility in circumstances where the operator of an IPsec peer has been informed by other means that packets can be decrypted and inspected.

The present document also includes the security guarantees made by the ENS profile, based on the security guarantees of the IPsec family of protocols.