[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Summary of issues from RTP

To: "'Michael C. Richardson'" <mcr@sandelman.ottawa.on.ca>, "'ipsec@tis.com'" <ipsec@tis.com>
Subject: RE: Summary of issues from RTP
From: Roy Pereira <rpereira@TimeStep.com>
Date: Wed, 18 Mar 1998 15:06:10 -0500
Sender: owner-ipsec@ex.tis.com

Also, some vendors could not handle larger sized nonces (40 bytes) and
would only allow 20 byte nonces.  The new IKE document does state:

   The length of nonce payload MUST be between 8 and 256 bytes
   inclusive.

>-----Original Message-----
>From:	Michael C. Richardson [SMTP:mcr@sandelman.ottawa.on.ca]
>Sent:	Tuesday, March 17, 1998 11:02 PM
>To:	ipsec@tis.com
>Subject:	Summary of issues from RTP
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>
>  {Don't ask me to present this in LA, I won't be there. The agenda doesn't
>say whether or not it will be in an MBONE room. If so, I'll be listening,
>DVMRP tunnel setup permitting. Email me if you can give me a tunnel!!!.
>
>  I will update this list again on the 27th. I have taken the list, removed
>the headers, signatures, and reworded some parts. Please let me know if I've
>screwed up what you are saying.}
>
>  1. ISAKMP SPI sizes. Some implementations get upset (i.e. crash) when
>	  offered different sizes. (2 octets was required for the IPcomp people)
>
>  2. ISAKMP payloads had to be in the order they are documented in the draft.
>	Most ISAKMP payloads may be sent in any order. The exception is that
>	there is a proscribed relationship between some payloads
>	(i.e. proposal payloads, transform payloads, etc)
>
>  3. IP address in CERTs. Some people expected strings, other expected
>	4 octets in ipAddress. If string, then is it: CN vs Unstructured or
>	subjectAltName. 
>
>  4. Some implementations are sending a replay protection number of 0
>	when manually keying. "I was under the impression sequence # 0 should
>	NEVER go on the wire, but hey, what do I know?"
>
>  5. Some vendors are not yet supporting DOI-07 wrt the AH transform type,
>	and the AUTH attribute.
>	{ed note: I wanted to give an example, but I can't seem to.
>	I read as far back as DOI-04, but didn't see any changes... unless
>	the issus is that the Auth(HMAC-MD5) wasn't being sent???}
>
>  6. Some vendors used old isakmp-08 certificate request format, but the data
>	  attrbute used in the payload was incorrectly formatted (or missing).		 
>	{ed note: isakmp-09 was not publically available for the interop}
>
>  7. Some vendors did not like getting a key hash payload in rsa encryption
>	  mode. 
>
>  8. Some vendors were discarding entire ISAKMP packet when an unknown
>	notify payload was received. Only the single payload should be
>	discarded.
>	
>  9. Some vendors did not like receiving certificate request payloads when 
>	using pre shared keys. (The isakmp draft says certificate requests
>	payloads can exist in any message).
>
> 10. Some vendors did not like receiving certificate request payloads at any
>	time. 
>
> 11. Some vendors did not like ISAKMP packet to be padded to a multiple of 4
>	bytes.
>
> 12. Some vendors expected to see client ID's in phase 2. This caused
>	quick mode to complete, but fail to install the SA properly.
>
> 13. Some vendors were not prepared to receive INITIAL-CONTACT notifies. This
>	caused premature termination of the negotiation. Speculation that
>	some vendors may terminate on any unknown status-level information
>	notifications. 
>
> 14. (Relating to #5, and perhaps answering my question)
>	Some vendors were not sending both the AH Transform type (e.g. AH_MD5)
>	AND the Authentication Algorithm attribute (e.g. HMAC-MD5)
>	Some vendors would not accept receiving both the the Transform type
>	and the Authentication Algorithm attribute.
> {ed: I must say that I'm not clear why we have two definitions here, and
>	I didn't find anything obvious by grepping my archives. If someone
>	tells me what month to look in...}
>
> {ed: I received nothing about any wire level transform level issues. This is
>	probably good.}
>
>   :!mcr!:            |  Sandelman Software Works Corporation, Ottawa, ON  
>   Michael Richardson |Network and security consulting and contract
>programming
> Personal: <A
>HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">m
>cr@sandelman.ottawa.on.ca</A>. PGP key available.
> Corporate: <A
>HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A
>>. 
>
>
>
>	
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.3ia
>Charset: latin1
>Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
>
>iQB1AwUBNQ9HH9iXVu0RiA21AQF+KAL+PWlBkRYOCwoXtbm1nW73nbKP+fTS813e
>k8JG6Hyhe9tgmI6gU57m1PiPL5GZAdZzyC1PCGFSfdsbnAT93kkuBgo8eBgD8ZcP
>cnJhJtHdRexpCZXsL5cYQ5bwqc464dOT
>=0OuF
>-----END PGP SIGNATURE-----

Prev by Date: some comments on draft-ietf-ipsec-ipsec-doi-08.txt
Next by Date: comments on draft-ietf-ipsec-doi-08.txt
Prev by thread: Summary of issues from RTP
Next by thread: RE: Summary of issues from RTP
Index(es):
- Main
- Thread