The application for the January 2000 VPN Interoperability Workshop is available at http://www.calbug.org:8080/vpnworkshop/ For those of you who cannot access the site, the application is attached here as a Word document and also follows in this email. Please return the completed application to anfreema@cisco.com and the payment to bob@larribeau.com. Thanks, Anita ---------------------------------------------------------------------------- -------------------------------- Return your application via email and reserve your hotel rooms before December 15, 1999! To Networking Product Developers: Cisco invites you to participate in the VPN Interoperability Workshop, January 9-14, 2000, testing IPSec/IKE, L2TP, and PPP features at Paradise Point Resort in San Diego, California. The VPN Workshop combines the tenth CalBUG (formerly CIUG) PPP Interoperability Workshop and the eighth IPSec Interoperability Workshop. The Workshop will be open to companies with products that implement any of the following protocols: IP Security (IPSec) Internet Key Exchange (IKE) IKE-CFG IKE-XAUTH IP Payload Compression (IPComp) L2TP over Transport-Mode IPSec Compression Control Protocol (CCP) with MPPC and MPPE MS Challenge Handshake Authentication Protocol (MS CHAP) Version 2 Extensible Authentication Protocol (EAP) Point to Point Tunneling Protocol (PPTP) PPP over Ethernet (PPPoE) PPP over ATM L2TP over ATM L2TP The Workshop will provide an opportunity to test the interoperability of your products with products from all of the other companies attending. The participating companies are asked to bring products that are released, at beta or near beta level for the protocols being tested. Participants are engineering staff intimately familiar with the software and hardware that implement the capabilities being tested and are expected to have a thorough understanding of the protocols. This Workshop will be open to only the participants. This is not a spectator event; it is not open to observers. Some participants will be working with unreleased products and the other attendees are expected to respect their privacy. SPONSORSHIP: Cisco is the host for the VPN Interoperability Workshop. UUNET, an MCI Worldcom Company will provide the backbone Ethernet network and access to the Internet. Madge will provide ISDN lines and CalBUG (formerly CIUG) will provide infrastructure equipment for the workshop network. Cisco will provide an ATM switch for PPPoATM and L2TPoATM testing. SCHEDULE: Sunday, January 9, 2000 12:00 Noon to 8:00 PM Registration and equipment set up by Participants Monday, January 10, 2000 7:00 AM to 8:00 AM Continental Breakfast 8:00 AM to 8:00 PM Testing 12:00 Noon to 1:30 PM Lunch Tuesday, January 11, 2000 7:00 AM to 8:00 AM Continental Breakfast 8:00 AM to 8:00 PM Testing 12:00 Noon to 1:30 PM Lunch Wednesday, January 12, 2000 7:00 AM to 8:00 AM Continental Breakfast 8:00 AM to 8:00 PM Testing 12:00 Noon to 1:30 PM Lunch 4:00 PM to 5:00 PM Pizza 5:00 PM to 7:00 PM Group Meeting Thursday, January 13, 2000 7:00 AM to 8:00 AM Continental Breakfast 8:00 AM to 8:00 PM Testing 12:00 Noon to 1:30 PM Lunch Friday, January 14, 2000 7:00 AM to 8:00 AM Continental Breakfast 8:00 AM to 5:00 PM Testing 12:00 Noon to 1:30 PM Box Lunch 3:00 PM Break Down Facility FEES: The charge for the Workshop is $300 per person. The fee is for the entire week and covers the cost of the meals and hotel facility. Each person attending must pay the full amount. There will be no provision for a daily rate for those not attending the entire week. Checks, wire transfers, or credit cards will be accepted. Cash payments are not available. Payment must be received in advance. Refunds will not be made for cancellations after December 15, 1999. Please fill out and return the payment form with your payment. Companies not registered will not be allowed to walk-in. FACILITIES: Tables and Power: Each participating company will be provided one table, 5 Amps of power, and one power strip. Bring additional power strips if you need them. If you know your test setup will require more than 5 Amps please provide that information in advance on the application form and it will be available. Backbone Ethernet Network: Each participating company will be provided a single RJ-45 cable attached to the backbone Ethernet network. The backbone Ethernet network will be a set of public class C networks connected to the Internet via a router with all routes configured statically (no dynamic routing). In the application you will be asked to specify which of the following configurations you will need and the quantity. You may request multiple configurations but you must bring your own switches/hubs and a crossover cable with an RJ-45 to RJ-45 connector to attach more than a single device to the backbone Ethernet network. Configuration 1: A single IP address with a routed private network address. A single IP address assigned from the backbone Ethernet network (a public class C network) and a private class C network (to be assigned) with a static route configured in the backbone router to the single IP address. Configuration 2: A single IP address with a routed private and public network address. A single IP address assigned from the backbone Ethernet network (a public class C network) with a private class C network (to be assigned) and a public subnetwork (/29 subnet address to be assigned) with a static route for both networks configured in the backbone router to the single IP address. Note: You can not reach the Internet with private network addresses. If these configurations do not satisfy your requirements, please contact James Matheke at 614-723-1525 or jmatheke@wcom.net. File Transfer Servers: Servers will be available for file transfers as defined in the test procedures. CA Certificates: To arrange certificates with CA providers prior to the workshop, please go to the following for details. Baltimore: lisa@baltimore.ie Entrust: http://freecerts.entrust.com/ SSH (available in late December): http://isakmp-test.ssh.fi/ VeriSign(contact alex@verisign.com): https://onsite-test-fe.bbtest.net/bakeoff/ VPNC: paul.hoffman@vpnc.org ISDN Lines: BRI and PRI lines will be provided for testing from a Madge switch. The BRI lines will be provisioned as NI-1 with CSV/D on each B channel. The BRI lines may be either a U or S/T interface. If you request a PRI line, please bring a CSU and the crossover cable to terminate the T1 interface. The PRI lines will be NI-2. Telephone Service: There will be a telephone on each table in the workshop for voice service provided by a networked PBX. ATM Circuits: There will be an ATM switch with coax interfaces provided for testing PPP over ATM or L2TP over ATM. SHIPPING EQUIPMENT TO SAN DIEGO PARADISE POINT RESORT IN SAN DIEGO, CALIFORNIA Participants will be responsible for bringing workstations and network equipment. You may ship your equipment to: San Diego Paradise Point Resort 1404 W. Vacation Road San Diego, CA 92109 Telephone: 858-274-4630 Attention: Steve Hanger Please mark "Hold for Cisco VPN Workshop" Schedule your equipment to arrive at Paradise Point Resort between January 3-7, 2000. Please provide shipping information, such as date shipped, tracking number, and number of boxes to Paradise Point Resort so receipt of your shipment may be confirmed and accepted. IMPORTANT: Please bring the shipping documents for the return of your equipment back to your company. These documents include the carrier form. International shipments must include all appropriate documents, including carrier forms and invoices. Additionally, please make arrangements with your carrier in advance for pickup of your equipment at the Paradise Point Resort for no later than 5:00 PM on Friday, January 14, 2000. You will be responsible to see that your carrier picks up your equipment. These two points are very important. Neither Cisco nor the Paradise Point Resort will be able to provide shipping forms or customs forms to you. You have to bring your own. Also neither Cisco nor the Paradise Point Resort will be able to store your equipment past January 14, 2000. ACCOMMODATIONS: Be sure to reserve by December 15, 1999, to insure that rooms will be available for you and your group. The block of rooms is available at: San Diego Paradise Point Resort 1404 W. Vacation Road San Diego, CA 92109 Telephone: 858-274-4630 or 800-344-2626 Register under "Cisco VPN Workshop" to get the discounted Workshop rate of $140.00 plus tax per night. Rooms are available for check in January 9, 2000 through check out January 14, 2000. Check in time is 4:00 PM and check out time is 12:00 Noon. Should the attendee cancel the reservation within 48 hours of arrival, they are subject to billing of one night's room and tax. Should an attendee depart early from the original check out date, the attendee will be responsible for one night's room and tax. Available room upgrade options: Lanai single/double $140 Lanai Bayview $195 Studio Suite Garden $235 Studio Suite Bayside $265 One Bedroom Suite Garden $275 One Bedroom Suite Bayview $310 About San Diego Paradise Point Resort: http://www.paradisepoint.com/ Airport Access: Airline service is available to Lindbergh International Airport, San Diego, California, USA (SAN). Alternately, you may fly to Los Angeles (LAX), California and drive approximately two hours to San Diego. Directions from Lindbergh International Airport: Take Harbor Drive North and turn right on Nimitz, follow signs to Mission Bay Park. Right on Ingraham, left at West Vacation Road. You can take Cloud 9 Shuttle 1-800-9-SHUTTLE from the airport to the hotel for transportation to the hotel for $8.00. From Terminal 1 or Terminal 2 follow the signs to the Ground Transportation Skybridge, proceed to the "Shuttle for Hire" curb and ask the "Transportation Coordinator" for Cloud 9 Shuttle. From the Commuter terminal exit the doors, cross over to the shuttle loading island, and ask the "Transportation Coordinator" for Cloud 9 Shuttle. SECURITY: An outside security company has been retained from 8:00 PM until 8:00 AM from January 8-14, 2000. There will be a sign-up procedure for participants wishing to work after 8:00 PM Those wishing to work after 8:00 PM must be present at 8:00 PM for introductions to the security staff of the evening. PRESS RELEASE: Cisco plans to make a press release following the workshop. There will be no mention of any specific results of the testing in this release. Please indicate in the application if you want your company's name included in this release as a participant. If you include your public relations person in the application, that contact will be given the opportunity to review the release in advance. REGISTRATION: This will be a "self organizing" event. It will be your responsibility to develop your own test schedule and to arrange your own testing partners. This method has worked well in the past and we believe that it provides the most productive environment for testing. In the application you will be asked to list the days you will be available for testing. Please be accurate so everyone has an opportunity to test with you. Please fill out the Product Section of the application carefully defining the supported capability list for the protocol options you will test at the workshop. We will use the information to put together a binder of data to assist when you are testing with partners. To register for the VPN Interoperability Workshop fill out the payment form and return it by email to <bob@larribeau.com>. Then fill out the application on this Web site immediately to reserve your place at the workshop. If you have any questions, send email or call Bob Larribeau, bob@larribeau.com, 415-241-9920 Based on past workshops, expected attendance is 60 companies. Get the payment form and application in early to assure yourself a place. ------------------------------ PAYMENT FORM---------------------------- PLEASE RETURN THIS PAYMENT FORM VIA EMAIL. Name: __________________________________ Company: _______________________________ Address: _________________________________ __________________________________________ City, State, Zip ________________________________ Country: _____________________________________ Phone: _________________________________ Fax: ___________________________________ Email: _________________________________ Number of Attendees: _________ x $300.00 = Total Payment $_____________ Refunds will not be made for cancellations after December 15, 1999. Pay by credit card: Fill out the form below and fax it to the CalBUG at (415) 753-6942. Credit Card Type (Circle One): American Express, Visa, Master Charge, JCB Credit Card Number: ______________________________ Expiration Date: _________________________________ Name: ____________________________________________ Signature: _______________________________________ Pay by check: Send a check made out to the CalBUG for $300 for each participant to: California Broadband User's Group, PO Box 27901-391, San Francisco, CA 94127 Wire funds to: California Broadband Users' Group Account Number 02882 07752 Bank of America #0288 288 West Portal Avenue, San Francisco, CA 94127 USA ----------------------------------------------------------------------- APPLICATION PLEASE FILL OUT THIS APPLICATION ON THE WEB SITE Please enter the name of the Workshop Coordinator who will coordinate your registration. We will send emails to this person to give the latest information on the workshop and to verify your registration. Company Name: __________________________ Name: __________________________________ Address: _________________________________ __________________________________________ City, State, Zip ________________________________ Country: _____________________________________ Phone: _________________________________ Fax: ___________________________________ Email: _________________________________ Do you want your company's name included in the Cisco press release as a participant? Yes or No Provide the name, address, phone, fax, and email of your public relations contact. We will give this person an opportunity to review the release in advance. Names of ALL Participants (including the Workshop Coordinator listed above if they will attend): Name_____________________ Name_____________________ Name_____________________ Days available for testing: M Tu W Th F Number of tables: ---------------------------------------------------------------------- IP Addresses- Number of Configuration 1: (a single IP address with a routed private network address) Number of Configuration 2: (A single IP address with a routed private and public network address) Additional Power Requirements: Number of BRI lines: 1 2 More than 2 (please specify) S/T or U interface: PRI (Yes or No): Additional Madge Switch Requirements: ATM PVC (PPP): 1 2 More than 2 (please specify) ATM PVC (L2TP): 1 2 More than 2 (please specifiy) ---------------------------------------------------------------------- Features you will be TESTING: IPSec (Y/N) IKE (Y/N) IKE-CFG IKE-XAUTH IP Payload Compression (Y/N) L2TP over Transport-Mode IPSec (Y/N) CCP with MPPC (Y/N) CCP with MPPE (Y/N) MS CHAP Version 2 (Y/N) EAP (Y/N) PPTP (Y/N) PPP over Ethernet (PPPoE) (Y/N) PPP over ATM (Y/N) L2TP over ATM (Y/N) L2TP (Y/N) ---------------------------------------------------------------------- Will you be providing: CA services (Y/N) ----------------------------------------------------------------------- Product Functionality Section: The purpose of this survey is to identify supported features so that vendors will know who is implementing what, can know who to discuss the detailed functionality with, and to identify products for more serious compatibility testing later. Fill out a Product Section to describe supported features for each device or software package you will have at the workshop. If the version is unreleased, indicate 'alpha', 'beta', RC (release candidate) or build number. Options marked with * are advanced features. --- 1--- Product Name: Software Version and OS compatibility: Product Type, check all that apply: Router_____ Firewall_____ IPSec Gateway_____ IPSec Client_____ L2TP/IPsec Client Software_____ End to End (Tunnel/Transport) Client_____ Other________________________ --- 2--- Product Name: Software Version and OS compatibility: Product Type, check all that apply: Router_____ Firewall_____ IPSec Gateway_____ IPSec Client_____ L2TP/IPsec Client Software_____ End to End (Tunnel/Transport) Client_____ Other________________________ --- 3--- Product Name: Software Version and OS compatibility: Product Type, check all that apply: Router_____ Firewall_____ IPSec Gateway_____ IPSec Client_____ L2TP/IPsec Client Software_____ End to End (Tunnel/Transport) Client_____ Other________________________ =====IPSEC=====IPSEC=====IPSEC=====IPSEC===== IPSec manual keys SA configuration (keys, SPI, algorithms) (Y/N) Minimum key length (Y/N) If yes, key length________________ AH tunnel (Y/N) AH transport (Y/N) ESP tunnel (Y/N) ESP transport (Y/N) Transport adjacency: applying more than one security protocol to the same IP datagram, without invoking tunneling, eg. [IP][AH][ESP][packet payload] (Y/N) Nested tunneling from the same box: "Tunneling IPSec in an IPSec tunnel", eg. [IP][IPSec][IP][IPSec][packet payload] where "[IPSec]" could be "[ESP]" or "[AH]" or "[AH][ESP]" and where "[packet payload]" could be a ULP or another entire IP datagram. (Y/N) Iterated tunneling on same box: "Terminate a tunnel on one interface and forward the packets out on a different tunnel on a different interface" (Y/N) ESP cipher algorithms- DES-CBC (Y/N) 3DES (Y/N) NULL encryption (Y/N) *RC5 (Y/N) *CAST (Y/N) *Blowfish (Y/N) *IDEA (Y/N) *DES-X (Y/N) ESP authenticators- HMAC-MD-5 (Y/N) HMAC-SHA-1 (Y/N) *HMAC RIPEMD-160 (Y/N) AH algorithms- HMAC-MD-5 (Y/N) HMAC-SHA-1 (Y/N) *HMAC RIPEMD-160 (Y/N) *IPP Compression Protocol- LZS (Y/N) DEFLATE (Y/N) =====IKE=====IKE=====IKE=====IKE===== IKE===== IKE Exchanges- Main/Quick mode (identity protect) (Y/N) *Aggressive mode (Y/N) *IKE Config (Y/N) *XAUTH (Y/N) *DHCP Inform for internal tunnel config (Y/N) *New Group Mode (Y/N) IKE Authentication methods- Preshared keys (Y/N) Minimum length (Y/N) If yes, length_____________ *RSA signature (Y/N) *DSS signature (Y/N) *RSA Encryption (Y/N) *Revised RSA encryption (Y/N) *GSSAPI-Kerberos v5 (Y/N) *Base Mode (Y/N) IKE Key Material- Groups supported (1,2,3,4,5,others)__________ *Elliptic Curve Groups_____________ *DH-less IKE_________ Main mode PFS (1 MM per quick mode) (Y/N) Quick mode PFS (Y/N) Minimum quickmode lifetime (bytes/secs)_________ IKE Encryption algorithms- DES (Y/N) 3DES (Y/N) CAST (Y/N) RC5 (Y/N) Blowfish (Y/N) IDEA (Y/N) Other__________________ IKE Hash algorithms- MD-5 (Y/N) SHA-1 (Y/N) *HMAC RIPEMD-160 optional (Y/N) IKE Certificates- *IKE Certificate Validation (Y/N) Validate subject name against IPSec policy data (Y/N) Normal operation requires on-line access to CA for enrollment (Y/N) Certificate Request Payload (Reqd/Optional/Not Used and Ignored)______________ *Certificate chains in band, means exchanged in IKE (Y/N) CRL support (Reqd/Optional/ None)___________ CRL retrieval mechanism (http, file, LDAP)______________ Normal operation (Reqd/Optional/ Don’t Care and Not Used) on-line access to CRL distribution point __________________ IKE Optional payloads---------------- *IKE Cert types - CERT (Y/N) CRL (Y/N) ARL (Y/N) PKCS7 (Y/N) Certificate signature algorithms supported (MD5, SHA1, etc)__________ IPSec only certificate key usage (Reqd/Optional/Don't Care)___________ Other certificate restrictions______________ *IKE Cert request types - CERT (Y/N) CRL (Y/N) ARL (Y/N) PKCS7 (Y/N) IKE Other Options- *Vendor-ID (Y/N) *Commit bit (Y/N) *Use quick mode lifetime notifies (Y/N) *Use Initial Contact (Y/N) *Send delete payload for quickmode SAs (Y/N) *Send delete payload for main mode SAs (Y/N) *CA Interoperability Issues- *RFC2510 (Y/N) *PKCS 10/7 (Y/N) *PKCS #12 (Y/N) Manual certificate enrollment (Y/N) *Level of CA hierarchies supported (number levels/No)___________ *Support certs issued by a subordinate CA, which is a child of a different vendor CA (cross certification) (Y/N) CMC (Y/N) PKIX-CMP (Y/N) CEP (Y/N) CRS (Y/N) For IPComp (RFC 2393)--------------------------------------------------------- Compression algorithms- DEFLATE - RFC 2394 (Y/N) LZS-RFC 2395 (Y/N) Negotiation mechanism- IKE (Y/N) Manually-configured (Y/N) Negotiated with- ESP/AH (Y/N) Standalone (Y/N) =====PPP=====PPP=====PPP=====PPP===== PPP===== LCP Options: Default MRU__________________________ Default MRRU_________________________ Authentication: CHAP authenticator (Y/N) CHAP authenticatee (Y/N) CHAP Re-challenge (Y/N) MS CHAP (Y/N) MS CHAP V2 (Y/N) Compression: STAC (Y/N) STAC DCP (Y/N) STAC Options _________ MPPC (Y/N) MPPE (Y/N) WCP (Y/N) Predictor (Y/N) Other__________________ IPCP: Numbered links (Y/N) Un-numbered links (Y/N) Tx if Un-numbered____________ Options supported____________ IP assignment (Y/N) IP Pool (Y/N) DHCP (Y/N) IPXCP: Numbered links (Y/N) Un-numbered links (Y/N) Tx if Un-numbered____________ Options supported____________ =====L2TP=====L2TP=====L2TP=====L2TP=====L2TP= Provide LAC (Y/N) Provide LNS (Y/N) Provide L2TP Client (Y/N) L2TP Access Concentrator (LAC) Options: Proxy LCP (Y/N) Proxy Authentication PAP (Y/N) Proxy Authentication CHAP (Y/N) Proxy Authentication MS-CHAP (Y/N) Tunnel Authentication (Y/N) Hidden AVPs (Y/N) Outgoing Calls (Y/N) Sequencing (Y/N) L2TP secured by IPSec (Reqd/Optional/No)___________ If yes, IKE authentication using identity protect or aggressive mode__________ If yes, IKE authentication using (machine/user/other) credential___________ If yes, IKE authentication (pre-shared key only/certs only/both/other)__________ L2TP Network Server (LNS) Options: Proxy LCP (Y/N) Proxy Authentication PAP (Y/N) Proxy Authentication CHAP (Y/N) Proxy Authentication MS-CHAP (Y/N) Tunnel Authentication (Y/N) Hidden AVPs (Y/N) Outgoing Calls (Y/N) Sequencing (Y/N) MP (bundle tunneled links) (Y/N) ECP (Y/N) CCP (Y/N) Algorithms______________________________ CBCP (Y/N) L2TP secured by IPSec (Reqd/Optional/No)___________ If yes, IKE authentication using identity protect or aggressive mode__________ If yes, IKE authentication using (machine/user/other) credential___________ If yes, IKE authentication (pre-shared key only/certs only/both/other)__________ Tunnel Types- Voluntary (Y/N) Compulsory (Y/N) Client L2TP Options: Tunnel Authentication (Y/N) Hidden AVPs (Y/N) Outgoing Calls (Y/N) Sequencing (Y/N) L2TP secured by IPSec (Reqd/Optional/No)___________ If yes, IKE authentication using identity protect or aggressive mode__________ If yes, IKE authentication using (machine/user/other) credential___________ If yes, IKE authentication (pre-shared key only/certs only/both/other)__________ =====PPTP=====PPTP=====PPTP=====PPTP=====PPTP= PAC (Y/N) PNS (Y/N) PPTP Client (Y/N) PPTP Options - PAC: Outgoing calls (Y/N) Incoming calls (Y/N) PPTP secured by IPSec (Reqd/Optional/No)___________ Ring-time tunnel (Y/N) Username-based tunnel (Y/N) PPTP Options - PNS: Outgoing calls (Y/N) Incoming calls (Y/N) MP (bundle tunneled links) (Y/N) MPPE (Y/N) CCP (Y/N) Algorithms______________ PPTP secured by IPSec (Reqd/Optional/No)___________ Tunnel types - Voluntary (Y/N) Compulsory (Y/N) PPTP Options - Client: MPPE (Y/N) CCP (Y/N) Algorithms______________ PPTP secured by IPSec (Reqd/Optional/No)___________ =====EAP=====EAP=====EAP =====EAP ===== EAP== Identity (Y/N) Number of retries__________ Notification (Y/N) Nak (response only) (Y/N) MD5-Challenge (Y/N) S/Key (RFC 1760) (Y/N) Generic Token Card (Y/N) RADIUS EAP-Proxy (Y/N) Other________________________ =====PPPoE===== PPPoE ===== PPPoE ===== PPPoE == Client: Can select from multiple services (Y/N) AC-Cookie Tag (Y/N) Host-Uniq Tag (Y/N) Relay-Session-Id (Y/N) PPPoE Active Discovery Terminate (PADT) packet (Y/N) Server: Can offer multiple services (Y/N) AC-Cookie Tag (Y/N) Host-Uniq Tag (Y/N) Relay-Session-Id (Y/N) PPPoE Active Discovery Terminate (PADT) packet (Y/N)
Jan2000IPSEC_PPP_application.doc