[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Issue concerning P1 ID port/protocol and Interop Testing

To: IETF IPSEC <ipsec@tis.com>
Subject: Issue concerning P1 ID port/protocol and Interop Testing
From: Will Fiveash <will@austin.ibm.com>
Date: Wed, 7 Oct 1998 13:56:52 -0500
Cc: ddp@network-alchemy.com
Mail-Followup-To: IETF IPSEC <ipsec@tis.com>, ddp@network-alchemy.com
Sender: owner-ipsec@ex.tis.com

I've been running IKE interop tests against both the SSH
(http://isakmp-test.ssh.fi/) and NIST (http://ipsec-wit.antd.nist.gov/)
test sites.  One thing that I've discovered that appears to be a problem
common to both sites is they send a Phase 1 ID with the protocol field
set to UDP but the port field is 0.  Am I correct in thinking this is in
violation of draft-ietf-ipsec-ipsec-doi-10.txt which states in section
4.6.2:

   During Phase I negotiations, the ID port and protocol fields MUST be
   set to zero or to UDP port 500.  If an implementation receives any
   other values, this MUST be treated as an error and the security
   association setup MUST be aborted.  This event SHOULD be auditable.

?

This leads me to a more fundamental question: Is this restriction on the
protocol/port fields really necessary in Phase 1?  These fields don't
appear to be useful in Phase 1 and if we test for 0/0 or UDP/500 we won't
inter-operate with SSH or NIST (and I suspect other folks will have
similar problems).

-- 
Will Fiveash
IBM AIX System Development        Internet: will@austin.ibm.com
11400 Burnet Road, Bld.905/9551   Notes: will@austin.ibm.com@internet
Austin, TX 78758-3493  Phone:(512) 838-7904(off)/3509(fax), T/L 678-7904

Follow-Ups:

Issue concerning P1 ID port/protocol and Interop Testing

From: Tero Kivinen <kivinen@ssh.fi>

Prev by Date: Re: Re-keying Issues Document
Next by Date: Re: Re-keying Issues Document
Prev by thread: VPN Interoperability Workshop Closed
Next by thread: Issue concerning P1 ID port/protocol and Interop Testing
Index(es):
- Main
- Thread