[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Interoperability issues in setting up SAs
At 11:35 PM -0800 12/7/01, Dan Harkins wrote:
>Complex yes. Interoperability problems? Not for the past few years. The
>interoperability problems today are not with SA construction or parsing.
It depends on what you mean by "SA construction". There are rampant
interoperability issues with traffic selection today. I see problems
with this all the time in our conformance testing.
There are three ways to describe a target that is a single IP address
(IPV4_ADDR, IPV4_ADDR, IPV4_ADDR_RANGE, and IPV4_ADDR_SUBNET), and
two ways to describe a target that is a typical network
(IPV4_ADDR_RANGE and IPV4_ADDR_SUBNET). Some implementations are
liberal in what they accept and interpolate between these three; most
don't, and will reject offers that don't use the ID type that they
prefer. Some implementations are only able to propose using one type.
This makes sense from a UI standpoint: do you really want to try to
get a typical IS person to know what the other side is going to
require for ID type?
After the WG has decided what it wants to do about SA specification,
the WG should help increate interoperability by specifying that
TheNextKeyExchangeAlgorithm *only* allow one type (probably range,
the most flexible). No need to get into that now, other than to
possibly disagree with the statement above about how wonderful
interop is today on this.
--Paul Hoffman, Director
--VPN Consortium
Follow-Ups:
References: