RE: IPSec interop workshop Aug 31st - Sept 3 invitation

[William Dixon <wdixon@microsoft.com>]

My apologies to IBM and everyone for not making one point clear.  I fully
support the already announced IBM bakeoff in late October and we will
attend.  The invitation I sent is another opportunity, 6 weeks earlier, to
help vendors work out interop issues.  Particularly it will be hard for me
to make changes in November/Dec and I'd like to ship something people won't
have to many problems interoping with as they move forward in their
implementations.  -Wm

-----Original Message-----
From: William Dixon [mailto:wdixon@microsoft.com]
Sent: Tuesday, August 04, 1998 2:17 AM
To: 'ipsec@tis.com'
Subject: IPSec interop workshop Aug 31st - Sept 3 invitation


I am concerned that we are not having enough opportunities for comprehensive
and/or sophisticated interoperability testing.  So I'd like to offer one
during the week after the IETF (not great timing I know).  I've got room for
about 30 people plus equipment.  So please "r" me if interested and give me
a few days to respond.  I'd like someone from ICSA to attend also.  By the
end of the week I hope to have enough responses to determine if it will be
worthwhile.  Thanks, -Wm


Announcement of IPSec Bakeoff Opportunity
Mon-Thurs, Aug 31st- Sept 3
Microsoft Main Campus, Olympic Room in bldg. 27S
Redmond, WA

Contents:
1. Purpose - Criteria
2. Proposed functionality testing
3. Proposed daily agenda

1. Purpose
Provide IPSec vendor developers of the most complete IPSec implementations a
small-scale, mixed vendor environment to further test IPSec interoperability
for transport and tunneling, under load, across a variety of network
topologies, including dialup, 100Mbit Ethernet and across Internet WAN
links.  To test attack resilience of IPSec implementations.  To begin
testing L2TP/IPSec interop.  No press releases, just interop work.  Wider
interop shake out for base and extended families of ICSA v2.0 criteria.
Increase consensus among IPSec vendors for how to solve some common
deployment problems and prepare for IBM's full bakeoff in October.

Due to the small facility, I'd like to prioritize for those who can
negotiate and perform ALL of the following functionality:
IKE - Negotiate and perform
	- Multiple auth method proposals
	- Certificate authentication and certificate request payloads
	- Dynamic rekey with PFS for both main mode and quick mode
	- Selectors (filters) to the IPaddress, IP Subnet, and port
IPSec
	- ESP with 56bitDES, null-ESP, MD5 and SHA1
	- Transport and tunnel mode

Implementations should also have
IKE
	- AND proposal
	- SA delete payload
	- Lifetimes in both bytes and times
	- Group 2 DH with 3DES
	- 512bit DH or explicit p & g

IPSec
	- Protocol and port filters
	- L2TP/IPSec integration
	- AH with MD5 and SHA1
	- AH+ESP combination
	- ESP 3DES
	- ESP 40bitDES

2. IPSec Functionality Testing
1. Basic interop on combinations
2. Certificate Infrastructure
	- Cert Server certificates from: Entrust, Microsoft, Verisign,
Netscape
	- Cert trust verification using hierarchy in PKI infrastructures
	- Using CRLs during cert validation ?
	- Timing of IKE successful/unsuccessful negotiation using certs, how
transparent for end-to-end?
3. IKE retransmit behavior
4. Export <-> Export, Export <-> Domestic
	- Basic IKE and IPSec tests
	- Explicit p&g DH with 40bit DES
5. IKE commit bit
6. Throughput & number of simultaneous negotiations performance testing
against different implementations
7. Reboot recovery (peer reboot losing it's security associations)
8. Scenarios - 
	- End-to-End transport long lived security associations (over night,
data transfer >1Gb) with frequent dynamic rekey
	- End-to-GW tunnel long lived security associations (over night,
data transfer >1Gb) with frequent dynamic rekey
	- Policy change events while under SA load
	- End-to-End SA through IPSec tunnels, initiation both ways
	- Client End-to-End through client-to-GW tunnel SA, initiate from
client for tunnel, then initiation both ways for end-to-end
	- Client-to-GW transport SA for secure management
9. Multiple auth method proposals and AND proposal
10. Discuss reliability requirements for SA establishment, maintenance under
load, heavy fragmentation, packet corruption, packet loss

3. Schedule
Monday evening Aug 31 - we may actually be able to setup on Sunday, not sure
yet, which would make this a full testing day
12:00-17:00 - Room and Network Setup
15:00-17:00 - Shipping deliveries from MS Receiving to bldg. 27/Olympic Room
17:00-22:00 - Vendor equipment drop off/setup

Tuesday Sept 1st
7:30 - Room Opens, Catered continental bkfast
8:30 - Welcome, Agenda, Network Layout, Logistics
9:00 - Testing
12:30 - SyncUp Discussion with catered lunch
13:00-13:30 Overview of MS PKI
17:00 - ReSync Discussion
22:00 - Room closes for night

Wednesday Sept 2nd
7:30 - Room Opens, Catered continental bkfast
8:30 - Agenda, Q& A
12:30 - SyncUp Discussion
13:00-13:30 Overview of IPSec policy in NT5.0 Active Directory
17:00 - SyncUp Discussion
22:00 - Room closes for night

Thursday Sept 3rd
7:30 - Room Opens, Catered continental bkfast
8:30 - Agenda, Q& A
12:30 - 13:30 - SyncUp Discussion
17:00 - Vendor Equip load Out
19:00 - Network pulled up
21:00 - Turnover to facilities management for next day

Friday Sept 4th - Event notes typed up and released to IETF IPSec list &
participants


Wm
William Dixon, 425-703-8729, wdixon@microsoft.com
Program Manager, Internet Protocol Security
PBS Windows Networking & Communications
Microsoft Corporation

---

• Prev by Date: RE: IPSec interop workshop Aug 31st - Sept 3 invitation
• Next by Date: IPSec and Filtering Question?
• Prev by thread: RE: IPSec interop workshop Aug 31st - Sept 3 invitation
• Next by thread: RE: IPSec interop workshop Aug 31st - Sept 3 invitation
• Index(es):
  • Main
  • Thread