[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec interop workshop Aug 31st - Sept 3 invitation
On Tue, 4 Aug 1998, William Dixon wrote:
| I am concerned that we are not having enough opportunities for comprehensive
| and/or sophisticated interoperability testing. So I'd like to offer one
| during the week after the IETF (not great timing I know).
Great! Our team will be represented. (You have us down as Gnu, I
think, but we are actually FreeS/WAN).
| Due to the small facility, I'd like to prioritize for those who can
| negotiate and perform ALL of the following functionality:
| IKE - Negotiate and perform
| - Multiple auth method proposals
I'm not sure what you mean by this -- multiple AH transform proposals?
| - Certificate authentication and certificate request payloads
| - Dynamic rekey with PFS for both main mode and quick mode
| - Selectors (filters) to the IPaddress, IP Subnet, and port
| IPSec
| - ESP with 56bitDES, null-ESP, MD5 and SHA1
I presume that you mean ESP with {DES, null} x {MD5-96, SHA1-96}
| - Transport and tunnel mode
|
| Implementations should also have
| IKE
| - AND proposal
Do you mean multiple transform payloads with the same transform number?
| - SA delete payload
| - Lifetimes in both bytes and times
| - Group 2 DH with 3DES
| - 512bit DH or explicit p & g
Huh? Do you mean MODP with 512? 512 is not strong enough, and it is
not a standard group. What is this about?
| IPSec
| - Protocol and port filters
| - L2TP/IPSec integration
| - AH with MD5 and SHA1
| - AH+ESP combination
| - ESP 3DES
| - ESP 40bitDES
Ditto: 40 bit isn't strong enough and isn't in the standard, for good
reasons.
| 2. IPSec Functionality Testing
| 1. Basic interop on combinations
| 2. Certificate Infrastructure
| - Cert Server certificates from: Entrust, Microsoft, Verisign,
| Netscape
| - Cert trust verification using hierarchy in PKI infrastructures
| - Using CRLs during cert validation ?
| - Timing of IKE successful/unsuccessful negotiation using certs, how
| transparent for end-to-end?
| 3. IKE retransmit behavior
| 4. Export <-> Export, Export <-> Domestic
| - Basic IKE and IPSec tests
| - Explicit p&g DH with 40bit DES
I don't understand this. We have to export to get to this site :-)
| 5. IKE commit bit
| 6. Throughput & number of simultaneous negotiations performance testing
| against different implementations
| 7. Reboot recovery (peer reboot losing it's security associations)
| 8. Scenarios -
| - End-to-End transport long lived security associations (over night,
| data transfer >1Gb) with frequent dynamic rekey
| - End-to-GW tunnel long lived security associations (over night,
| data transfer >1Gb) with frequent dynamic rekey
| - Policy change events while under SA load
| - End-to-End SA through IPSec tunnels, initiation both ways
| - Client End-to-End through client-to-GW tunnel SA, initiate from
| client for tunnel, then initiation both ways for end-to-end
| - Client-to-GW transport SA for secure management
| 9. Multiple auth method proposals and AND proposal
Is this the same as one or two of the above?
| 10. Discuss reliability requirements for SA establishment, maintenance under
| load, heavy fragmentation, packet corruption, packet loss
Hugh Redelmeier
hugh@mimosa.com voice: +1 416 482-8253
References: