[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Deafening Silence
-----BEGIN PGP SIGNED MESSAGE-----
Ran wrote:
>
>>I also think that the drafts are not concrete enough so that 2
>>implementer would come up with interoperable implementations.
>
> You make a strong bold claim. However, there is an existence proof to
>the contrary since interoperability of independently-written implementations
>has ALREADY been shown. For example, the DRA/Malvern implementation written
>against isakmp-04 talked fine with the cisco UNIX implementation written
>against isakmp-04. There can be no doubt that the ISAKMP and ISAKMP-Oakley
>specifications are sufficiently concrete to implement. All the details are
>there, including all of the magic numbers, in a clean easily-read format.
>
Correct me if I am wrong but the CISCO implementation only covers
the draft-ietf-ipsec-oakley written by CISCO . An EXTREME subset of the
complete ISAKMP and OAKLEY drafts. Is that the required subset ??
Why? Don't misunderstand me again. I don't claim you can't write
interoperable implementations of the subset defined in
draft-ietf-ipsec-oakley or in ISAKMP-05. I claim you have problems
if you try to combine the ISAKMP-05 and the complete OAKLEY draft.
Who is implementing that?
Why I think the drafts are not concrete enough? Only two examples:
- - The latest Oakley draft doesn't match the ISAKMP payload formats.
- - The ISAKMP draft 5 doesn't define the IP DOI completely.
All this are not major problems, but they need fixing.
Again if the consent of the working group is
to use the EXTREMELY cut down draft-ietf-ipsec-oakley please
somebody let me know.... .
Oliver
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQCVAwUBMl09xTnVPgUZ7uZJAQEMEwQApJjvNWmGlhbuIkVyW1VdbmuaTKY2LB0x
etOQAiNWxAFg7Mkb9N2HKljsRwtaV69ut7riIOqMZd/U5IUhy7TwL1/aMpOsnuUW
xCLgssEmFSC/13MQzPgEU4pOfLxK2rIP3l2l5ecOplH3tc15GeHHTSQL5l3NhIzO
foF2aLsj0wo=
=V06S
-----END PGP SIGNATURE-----
Date: Thu, 10 Oct 1996 10:17:21 -0700
From: Ran Atkinson <rja@cisco.com>
Message-Id: <199610101717.KAA06479@cornpuffs.cisco.com>
To: spatsch@cs.arizona.edu
Subject: Re: Deafening Silence
In-Reply-To: <Pine.LNX.3.94.961009202319.13340B-100000@P-spatsch.cs.arizona.edu>
References: <199610092257.SAA08921@MAILSERV-2HIGH.FTP.COM>
Organization: cisco Systems
Cc: ipsec@TIS.COM
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
In article <Pine.LNX.3.94.961009202319.13340B-100000@P-spatsch.cs.arizona.edu>,
Oliver wrote:
>I would be curious to know who is implementing ISAKMP/Oakley
>at this point (who could interoperate in Jan/97)?
As I understand it, cisco has 4 distinct implementations (PIX, TGV,
IOS, and the freely distributable UNIX implementation). The PIX (in Palo
Alto) and TGV (in Santa Cruz) and IOS (in San Jose) parts of cisco are
logically/administratively and geographically separate, with separate staff.
It is not clear to me that the 4 implementations are related or able to share
code. In particular, IOS is very significantly different from UNIX and so it
is not generally feasible to port any UNIX code into IOS.
There are several other vendors (e.g. ftp Software, Timestep) working
on ISAKMP/Oakley code. The auto industry has sent a very clear signal to
vendors about what key management products they plan to purchase
(i.e. ISAKMP/Oakley) and the auto industry purchases a lot of product, so
firms that are trying to make money rather than have technical religion will
probably be shipping ISAKMP/Oakley products in the near-term.
I would guess that most UNIX vendors will be using code derived from
the freely-distributable cisco ikmpd(8) implementation on their boxes.
My understanding has been that DRA/Malvern (UK) is working on updating
their implementation to match the most recent I-Ds. Elfed Weaver has
indicated on this list in the past that DRA/Malvern's implementation is
intended to become freely distributable in future (note that it is also a
non-US implementation).
I hear word of an implementation in progress built against PF_KEY
underway within the Asia/Pacific region as well.
The US DoD has their own implementation and should be ready by January
(NB: their publically release code might be a subset of their total in-house
code, but it is still an independent implementation).
There is active discussion of testing ISAKMP/Oakley and IPsec as part
of this December's IPv6 testing at UNH. In particular, Digital has been
vocally advocating this. I anticipate that other UNIX vendors will also have
IPsec for IPv6 and ISAKMP/Oakley ready by the next UNH session.
So let's count up the math. 4 + 2 + 1 + 1 + 1 = 9. So I'd say that
roughly 9 distinct implementations will probably be testable in the January
1996 timeframe. Several are being tested in the very near term within
the RSADSI S/WAN activity. Others will probably be tested in December
at UNH as part of IPv6 testing.
>I also think that the drafts are not concrete enough so that 2
>implementer would come up with interoperable implementations.
You make a strong bold claim. However, there is an existence proof to
the contrary since interoperability of independently-written implementations
has ALREADY been shown. For example, the DRA/Malvern implementation written
against isakmp-04 talked fine with the cisco UNIX implementation written
against isakmp-04. There can be no doubt that the ISAKMP and ISAKMP-Oakley
specifications are sufficiently concrete to implement. All the details are
there, including all of the magic numbers, in a clean easily-read format.
Best regards,
Ran
rja@cisco.com