[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Issue concerning P1 ID port/protocol and Interop Testing
I've been running IKE interop tests against both the SSH
(http://isakmp-test.ssh.fi/) and NIST (http://ipsec-wit.antd.nist.gov/)
test sites. One thing that I've discovered that appears to be a problem
common to both sites is they send a Phase 1 ID with the protocol field
set to UDP but the port field is 0. Am I correct in thinking this is in
violation of draft-ietf-ipsec-ipsec-doi-10.txt which states in section
4.6.2:
During Phase I negotiations, the ID port and protocol fields MUST be
set to zero or to UDP port 500. If an implementation receives any
other values, this MUST be treated as an error and the security
association setup MUST be aborted. This event SHOULD be auditable.
?
This leads me to a more fundamental question: Is this restriction on the
protocol/port fields really necessary in Phase 1? These fields don't
appear to be useful in Phase 1 and if we test for 0/0 or UDP/500 we won't
inter-operate with SSH or NIST (and I suspect other folks will have
similar problems).
--
Will Fiveash
IBM AIX System Development Internet: will@austin.ibm.com
11400 Burnet Road, Bld.905/9551 Notes: will@austin.ibm.com@internet
Austin, TX 78758-3493 Phone:(512) 838-7904(off)/3509(fax), T/L 678-7904
Follow-Ups: