[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSEC stress tester?

To: Stephen.Waters@cabletron.com
Subject: RE: IPSEC stress tester?
From: CNJ CNJ <cdnja@yahoo.com>
Date: Fri, 26 Feb 1999 12:45:03 -0800 (PST)
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

Stephen,

	I read that Time Step has a tool kit that ICSA is using to test and
help certify IPSec products. 
http://www.zdnet.com/products/stories/reviews/0,4161,360488,00.html

	I have been unable to find out details about this tool kit.  Perhaps
someone from Time Step is on this forum and can address for all of us
about this tool kit and how it can be obtained.


	Debbie Beers


Thanks for all the replies. I guess what I’m looking for is a test
suite that has knowledge of the IPSEC/IKE protocols and tries to
expose weaknesses.
Some simple examples could be:
&#61623; sending ESP/AH packets to various SPI values
&#61623; creating IPSEC-SA with IKE, and then sending corrupted ESP/AH
packet (man-in-the-middle tests)
&#61623; replay attacks
&#61623; pre-shared key guessing for Phase1 break-in attempts
&#61623; sending in ESP packets that contain IP packets not covered by
the Phase-2 negotiation
&#61623; ‘exploding’ IPCOMP packets

We could probably come up with a fairly long list between us.  I would
like to see such a tool so that VPN CPE customers can sleep at nights
knowing their CPE has passed these tests.
So far, I’ve tried tools intended for firewall testing, and, as you
would expect, they don’t do much with a router that is armed with IPSEC.
This sounds like an opportunity for someone. From the number of holes
I’ve had to fix in our IPSEC implementation, this someone probably
works for a company with IPSEC products.
Steve.


-----Original Message-----
From:	Paul Hoffman [mailto:paul.hoffman@vpnc.org]
Sent:	Thursday, February 25, 1999 9:41 PM
To:	Waters, Stephen; ‘ipsec@tis.com’
Subject:	Re: IPSEC stress tester?



I’m looking for a test suite that will stress-test an IPSEC security
gateway.
Can anyone recommend something? If the product doesn’t exist, maybe a
service does?  I would prefer a product that I can re-use at my
leisure as
part of a regression test program.

Depends on what you mean by “stress test”. There are at least two
orthogonal types of stress tests people have proposed: speed and
number/type of SAs. Creating software/hardware to test either type of
stress is easy; creating tests that are useful in the real world is
probably difficult without discussion from many vendors and customers.
A few companies have suggested that VPNC create some standard
stress-testing regimen, not so that someone can say “Product A runs
faster under stress than Product B”, but so they ca say “if you put
Product C on one end of an Internet connection with a line speed of N,
you can be sure that the line speed will limit you sooner than the
processing power of Product C”. Once VPNC gets up and running, I hope
that the members will want to discuss this more, and that we make the
results public so that anyone can run the tests themselves.
&#61623; Paul Hoffman, Director
&#61623; VPN Consortium






_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com

Prev by Date: draft-irtf-smug-gsadef-00.txt
Next by Date: Re: Looking for an IPsec packet analyzer
Prev by thread: RE: IPSEC stress tester?
Next by thread: Looking for an IPsec packet analyzer
Index(es):
- Main
- Thread