[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec interop workshop Aug 31st - Sept 3 invitation

To: William Dixon <wdixon@microsoft.com>
Subject: Re: IPSec interop workshop Aug 31st - Sept 3 invitation
From: "D. Hugh Redelmeier" <hugh@mimosa.com>
Date: Sun, 23 Aug 1998 19:50:15 -0400
cc: "'ipsec@tis.com'" <ipsec@tis.com>
In-Reply-To: <ACC49BC4931BD211B64F00805F15808901433D9E@RED-MSG-07>
Sender: owner-ipsec@ex.tis.com

On Tue, 4 Aug 1998, William Dixon wrote:

| I am concerned that we are not having enough opportunities for comprehensive
| and/or sophisticated interoperability testing.  So I'd like to offer one
| during the week after the IETF (not great timing I know).

Great!  Our team will be represented.  (You have us down as Gnu, I
think, but we are actually FreeS/WAN).

| Due to the small facility, I'd like to prioritize for those who can
| negotiate and perform ALL of the following functionality:
| IKE - Negotiate and perform
| 	- Multiple auth method proposals

I'm not sure what you mean by this -- multiple AH transform proposals?

| 	- Certificate authentication and certificate request payloads
| 	- Dynamic rekey with PFS for both main mode and quick mode
| 	- Selectors (filters) to the IPaddress, IP Subnet, and port
| IPSec
| 	- ESP with 56bitDES, null-ESP, MD5 and SHA1

I presume that you mean ESP with {DES, null} x {MD5-96, SHA1-96}

| 	- Transport and tunnel mode
| 
| Implementations should also have
| IKE
| 	- AND proposal

Do you mean multiple transform payloads with the same transform number?

| 	- SA delete payload
| 	- Lifetimes in both bytes and times
| 	- Group 2 DH with 3DES
| 	- 512bit DH or explicit p & g

Huh?  Do you mean MODP with 512?  512 is not strong enough, and it is
not a standard group.  What is this about?

| IPSec
| 	- Protocol and port filters
| 	- L2TP/IPSec integration
| 	- AH with MD5 and SHA1
| 	- AH+ESP combination
| 	- ESP 3DES
| 	- ESP 40bitDES

Ditto: 40 bit isn't strong enough and isn't in the standard, for good
reasons.

| 2. IPSec Functionality Testing
| 1. Basic interop on combinations
| 2. Certificate Infrastructure
| 	- Cert Server certificates from: Entrust, Microsoft, Verisign,
| Netscape
| 	- Cert trust verification using hierarchy in PKI infrastructures
| 	- Using CRLs during cert validation ?
| 	- Timing of IKE successful/unsuccessful negotiation using certs, how
| transparent for end-to-end?
| 3. IKE retransmit behavior
| 4. Export <-> Export, Export <-> Domestic
| 	- Basic IKE and IPSec tests
| 	- Explicit p&g DH with 40bit DES

I don't understand this.  We have to export to get to this site :-)

| 5. IKE commit bit
| 6. Throughput & number of simultaneous negotiations performance testing
| against different implementations
| 7. Reboot recovery (peer reboot losing it's security associations)
| 8. Scenarios - 
| 	- End-to-End transport long lived security associations (over night,
| data transfer >1Gb) with frequent dynamic rekey
| 	- End-to-GW tunnel long lived security associations (over night,
| data transfer >1Gb) with frequent dynamic rekey
| 	- Policy change events while under SA load
| 	- End-to-End SA through IPSec tunnels, initiation both ways
| 	- Client End-to-End through client-to-GW tunnel SA, initiate from
| client for tunnel, then initiation both ways for end-to-end
| 	- Client-to-GW transport SA for secure management
| 9. Multiple auth method proposals and AND proposal

Is this the same as one or two of the above?

| 10. Discuss reliability requirements for SA establishment, maintenance under
| load, heavy fragmentation, packet corruption, packet loss

Hugh Redelmeier
hugh@mimosa.com  voice: +1 416 482-8253

References:

IPSec interop workshop Aug 31st - Sept 3 invitation

From: William Dixon <wdixon@microsoft.com>

Prev by Date: OID question
Next by Date: Re: Comments on "Hybrid Auth. mode for IKE"
Prev by thread: IPSec interop workshop Aug 31st - Sept 3 invitation
Next by thread: RE: IPSec interop workshop Aug 31st - Sept 3 invitation
Index(es):
- Main
- Thread