[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SSH ISAKMP/Oakley interoperability test site announcement

To: ipsec@tis.com
Subject: SSH ISAKMP/Oakley interoperability test site announcement
From: Tero Kivinen <kivinen@ssh.fi>
Date: Sun, 22 Nov 1998 06:49:06 +0200 (EET)
Organization: SSH Communications Security Oy
Sender: owner-ipsec@ex.tis.com

I updated the SSH ISAKMP/Oakley interoperability test site to support
our SSH IPSEC Express 1.2. New features includes:

- Certificate enrollment page.
- Tiger hash in Phase I.
- RipeMD160 hash in Phase I.
- Well known group 3 (EC2N) in Phase I or II.
- Well known group 4 (EC2N) in Phase I or II.
- Inline EC2N and ECP private groups in Phase I IKE negotation.
- EC2N and ECP private groups in new group mode.
- CRL support.
- Two different CA keys (DSA or RSA root)
- Certificate hierarchy testing (certificate chains) (8 level hierarchy).
- Longer timeouts.

The URL for the test site is <URL:http://isakmp-test.ssh.fi/>.

Here is a updated announcement text:
----------------------------------------------------------------------
The SSH ISAKMP/Oakley test site is now available for testing.
See:

<URL:http://isakmp-test.ssh.fi/>.

This site was already announced in the Washington IETF IPSec session,
and has been operational since then, but this is updated announcement
for its availability for testing.

The SSH ISAKMP/Oakley test site is web based test site for
ISAKMP/Oakley servers and it allows your implementation to perform
negotiations against the test server. It gives you sufficient
debugging output, so you can resolve most problems yourself; we are
happy to work with you on the remaining ones (send mail to
isakmp-support@ssh.fi).

For demonstration purposes, you can also put our implementation
negotiating against itself by giving 194.100.55.1 as the IP address
for the other end and using different port number for each end.

I've now configured the system so that you can also use port 500 for
testing at the SSH end. So if you couldn't test earlier because you
couldn't configure the remote port, now you can also use port 500.
I also raised the default timeout from 30 seconds to 60 seconds if you
are using port 500, and to 180 seconds if you are using some other
port than 500.

I had to raise the timeout because the 120 MHz pentium wasn't able to
fetch 8 CRLs from the ldap server, check signatures of those all 8
certificates and their CRLs and sign its responce in 30 seconds when
using DSA keys and running boths end in the same machine.

Because only one user can be testing in the same port at same time
(the test servers are each completely separate from each other, but
running on same machine), it would be good to use some other port if
you can, and leave port 500 for those who cannot choose...

The SSH ISAKMP/Oakley test site supports latest drafts (isakmp-10,
oakley-02, isakmp-oakley-08, doi-10), and following options in those
drafts:

	- Several compatibility flags. 

	- Authentication with Pre-Shared keys and support for
	  DSA/RSA signatures and RSA encryption authentications.
	  Now there is also certificate enrollment page, where you
	  can process your own PKCS#10 request and get a certificate
	  signed by our CA key back, so now you can test DSA/RSA
	  signature and RSA encryption authentications yourself. 
	  The certificate sent by the other end must have the correct
	  IP address in the subject alt name field.

	- Two configurable CA keys, DSA or RSA root.

	- 8 level certificate chain test (CA certificate + 7
	  intermediate signing certificates and the end user
	  certificate). 

	- Both responder and initiator ends.

	- Both Main mode and Aggressive mode.

	- New group mode between main or aggressive mode and quick
	  mode.

	- Quick mode. 

	- Encryption algorithms: DES, IDEA, Blowfish, RC5, 3DES, and
	  CAST-128.

	- Hash algorithms: MD5, SHA, Tiger and RipeMD160

	- Diffie-Hellman Groups: 1, 2, 3, 4, private group arguments
	  given in ISAKMP proposal, and private group negotiated in
	  new group mode (for quick mode). It also supports 1536 bit
	  modp group created by Richard Schroeppel and posted to
	  linux-ipsec list. This is numbered to be group 5.

	- MODP, EC2N, ECP private groups.

	- With or without PFS in quick mode.

	- Limited configuration mode support, it will respond to any
	  configuration	mode (or extended authentication) requests, but
	  the user interface doesn't allow you to initiate them.

	- CRL support (Currently it always gets CRLs from the
	  ldap.ssh.fi, and that ldap server also has CRLs for all of
	  the our CA keys, but if you send CRL in the ike payload it
	  will also process that). 

The ISAKMP/Oakley test site is NOT connected to an IPSec engine so it
will just print out the resulting keys after negotiation, so you can
check them (note, that it will print just raw key material, parity
bits etc are fixed in the IPSec engine level, not in this level).

The ISAKMP/Oakley test site will be connected to the IPSec responder
engine quite soon, so wait for another announcement. 

If you have any comments, problems, enchancements etc please send mail
to isakmp-support@ssh.fi.

I will try to add some more help texts to the pages later, but I think
implementators should be able to understand the user interface and
debug output already. I really hope this service will be usefull to
IPSec community.

For more information about SSH IPSEC Express see
http://www.ssh.fi/ipsec/ 
-- 
Start fixing W2k problem,                    install a free unix now.
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

Prev by Date: Re: FW: IPSec Monitoring MIB works for IPv4 only?
Next by Date: SSH X.509 certificate enrollment page announcement
Prev by thread: BOUNCE ipsec@portal.ex.tis.com: Non-member submission from [Will Price <wprice@cyphers.net>]
Next by thread: SSH X.509 certificate enrollment page announcement
Index(es):
- Main
- Thread