[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

divergent interpretations of IKE/IPsec - interop issues

To: IPsec <ipsec@lists.tislabs.com>
Subject: divergent interpretations of IKE/IPsec - interop issues
From: Christophe Gouault <christophe.gouault@6wind.com>
Date: Thu, 21 Mar 2002 10:43:36 +0100
Organization: 6WIND
Sender: owner-ipsec@lists.tislabs.com

Hello,

During interoperability tests on several IKE/IPsec implementations, we
discovered different interpretations of the IKEv1 or IPsec
specification.

Let's consider the following transform:

(1)       [IP][data]  ==(IPsec)==>  [IP][AH][ESP][encrypted IP+data]

To negociate such transform as IKE-initiator,
(2) some implementations send a QM proposal of AH_transport + ESP_tunnel
    (6WIND, KAME, OpenBSD...)
(3) some other implementations send a QM proposal of AH_tunnel +
    ESP_tunnel (FreeS/WAN, Cisco...)

If initiator and responder use different interpretations, the
negociation fails most of the time.
These two different interpretations consequently lead to
non-interoperable implementations.

IMHO only ESP is in tunnel mode in this transform, as opposed to AH
which is in transport mode. But some implementors seem to consider that
mode applies globally to the transform (AH+ESP).

Are (2) and (3) valid representations of transform (1) ?

/christophe

Follow-Ups:
- Re: divergent interpretations of IKE/IPsec - interop issues
  - From: Joern Sierwald <joern@f-secure.com>

Prev by Date: pre-shared key v RSA encryption or RSA signature authentication modes
Next by Date: Re: Don't remove TS from IKEv2
Prev by thread: Re: pre-shared key v RSA encryption or RSA signature authentication modes
Next by thread: Re: divergent interpretations of IKE/IPsec - interop issues
Index(es):
- Date
- Thread