RE: [Ipsec] Query for IPv6 ICV
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Ipsec] Query for IPv6 ICV
> I'm trying to establish an IPSEC session over IPv6 with
> Windows XP and FreeBSD (Kame's implementation) AH Transport
> mode with HMAC-MD5 authentication. Windows sends an ICV of
> 20 bytes (with 4 padded 0 bytes) and FreeBSD simply discards the packet.
With the Microsoft IPv6 stack, you need to specify the algorithm as
"HMAC-MD5-96" in the .sad file, not "HMAC-MD5".
"HMAC-MD5-96" will make it use HMAC-MD5-96, as described in RFC 2403,
("The Use of HMAC-MD5-96 within ESP and AH"), which is most likely
what you want for interoperability.
"HMAC-MD5" will make it use HMAC-MD5-128. This is a vendor specific
algorithm that is provided in addition to the IETF-standardized
algorithms. It is probably not what you want.
Similarly, to get HMAC-SHA1-96, you need to specify "HMAC-SHA1-96", not
"HMAC-SHA1".
Hope this helps!
Mike
_______________________________________________
Ipsec mailing list
Ipsec at ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
