[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Issue concerning P1 ID port/protocol and Interop Testing
Will Fiveash writes:
> I've been running IKE interop tests against both the SSH
> (http://isakmp-test.ssh.fi/) and NIST (http://ipsec-wit.antd.nist.gov/)
> test sites. One thing that I've discovered that appears to be a problem
> common to both sites is they send a Phase 1 ID with the protocol field
> set to UDP but the port field is 0. Am I correct in thinking this is in
> violation of draft-ietf-ipsec-ipsec-doi-10.txt which states in section
> 4.6.2:
>
> During Phase I negotiations, the ID port and protocol fields MUST be
> set to zero or to UDP port 500. If an implementation receives any
> other values, this MUST be treated as an error and the security
> association setup MUST be aborted. This event SHOULD be auditable.
>
> ?
>
> This leads me to a more fundamental question: Is this restriction on the
> protocol/port fields really necessary in Phase 1? These fields don't
> appear to be useful in Phase 1 and if we test for 0/0 or UDP/500 we won't
> inter-operate with SSH or NIST (and I suspect other folks will have
> similar problems).
I don't think the value of port and protocol has any meaning in the
phase 1 exchange. The reason why SSH's test site had UDP/0, was that
it used to be UDP/xxxx, where xxxx was the real port number (quite
often 1500 ), but someone complained about that and I changed it to
UDP/0...
I have already changed the test program to send 0/0, but I haven't
updated the web-server yet. I will propably do it quite soon, and
there will be some new features also (EC2N and ECP groups for
Diffie-Hellman, Initial-contact notifications, etc).
--
kivinen@iki.fi Work : +358-9-4354 3218
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/
References: