[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Interoperability issues in setting up SAs



At 11:35 PM -0800 12/7/01, Dan Harkins wrote:
>Complex yes. Interoperability problems? Not for the past few years. The
>interoperability problems today are not with SA construction or parsing.

It depends on what you mean by "SA construction". There are rampant 
interoperability issues with traffic selection today. I see problems 
with this all the time in our conformance testing.

There are three ways to describe a target that is a single IP address 
(IPV4_ADDR, IPV4_ADDR, IPV4_ADDR_RANGE, and IPV4_ADDR_SUBNET), and 
two ways to describe a target that is a typical network 
(IPV4_ADDR_RANGE and IPV4_ADDR_SUBNET). Some implementations are 
liberal in what they accept and interpolate between these three; most 
don't, and will reject offers that don't use the ID type that they 
prefer. Some implementations are only able to propose using one type. 
This makes sense from a UI standpoint: do you really want to try to 
get a typical IS person to know what the other side is going to 
require for ID type?

After the WG has decided what it wants to do about SA specification, 
the WG should help increate interoperability by specifying that 
TheNextKeyExchangeAlgorithm *only* allow one type (probably range, 
the most flexible). No need to get into that now, other than to 
possibly disagree with the statement above about how wonderful 
interop is today on this.

--Paul Hoffman, Director
--VPN Consortium


Follow-Ups: References: