From owner-ipsec@lists.tislabs.com Fri Feb 1 09:19:56 2002
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101])
by above.proper.com (8.11.6/8.11.3) with ESMTP id g11HJt310628;
Fri, 1 Feb 2002 09:19:55 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id LAA26672
Fri, 1 Feb 2002 11:00:51 -0500 (EST)
From: dfox@quarrytech.com
Message-ID: <496A8683261CD211BF6C0008C733261A018EACED@email.quarrytech.com>
To: jerry.wang@tumbleweed.com
Cc: ipsec@lists.tislabs.com
Subject: RE: interoperability of IPSec between solaris 8 and win2k
Date: Fri, 1 Feb 2002 11:11:03 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C1AB3B.0BB8B8C0"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C1AB3B.0BB8B8C0
Content-Type: text/plain;
charset="iso-8859-1"
Jerry,
That isn't all that unusual. While they may not be able to do
dynamic negotiation of keys, you should still be able to verify
interoperability with manual tunnels. What you would be verifying in this
case is that the IPsec encryption, AH and/or ESP, was working.
The "restriction" in Solaris 8 for having the key comprised of
the authentication and encryption keys is not unique. I previously tested
the SSR family of routers at Cabletron, which had IPsec support. That was
exactly how we specified the keys. The software then split up the provided
key in the correct proportions to satisfy the authentication and encryption
key needs. In that case, depending on the hashing and encryption algorithms
that you choose, you will need to provide a long enough key for both. In
the Win2K environment, you'll need to figure out where the split in the key
is so that you can specify them separately, if that is how Win2K requires
them to be specified.
With two different implementations, the trick is to specify the
parameters to both implementations, in their native management environment,
such that they will be able to communicate. You should be able to make it
happen after a little trial and error, I suspect.
I am not aware if they have been submitted for a mark from VPNC
or ICSA. If they were, and received their respective mark for whatever
subset they were submitted to be tested against, then they will have been
tested for interoperability with the lab's "reference set" of routers. If
they passed, then you've got your interoperability answer. ICSA is at
www.icsalabs.com
J=
erry,
<=
span
style=3D'mso-tab-count:1'> &nbs=
p; That
isn’t all that unusual. =
While they
may not be able to do dynamic negotiation of keys, you should still be =
able to
verify interoperability with manual tunnels. What you would be verifying in this case is that the =
IPsec
encryption, AH and/or ESP, was =
working.
<=
![if =
!supportEmptyParas]>
<=
span
style=3D'mso-tab-count:1'> &nbs=
p; The
“restriction” in Solaris 8 for having the key comprised of =
the authentication
and encryption keys is not unique.
I previously tested the SSR family of routers at Cabletron, =
which had
IPsec support. That was =
exactly how
we specified the keys. =
The software
then split up the provided key in the correct proportions to satisfy =
the
authentication and encryption key needs.
In that case, depending on the hashing and encryption algorithms =
that
you choose, you will need to provide a long enough key for both. In the Win2K environment, =
you’ll need
to figure out where the split in the key is so that you can specify =
them
separately, if that is how Win2K requires them to be =
specified.
<=
![if =
!supportEmptyParas]>
<=
span
style=3D'mso-tab-count:1'> &nbs=
p; With
two different implementations, the trick is to specify the parameters =
to both
implementations, in their native management environment, such that they =
will be
able to communicate. You =
should be
able to make it happen after a little trial and error, I =
suspect.
<=
![if =
!supportEmptyParas]>
<=
span
style=3D'mso-tab-count:1'> &nbs=
p; I
am not aware if they have been submitted for a mark from VPNC or =
ICSA. If they were, and received =
their
respective mark for whatever subset they were submitted to be tested =
against,
then they will have been tested for interoperability with the =
lab’s “reference
set” of routers. =
If they passed, then
you’ve got your interoperability answer.
ICSA is at www.icsalabs.com and
VPNC is at www.vpnc.org.
<=
![if =
!supportEmptyParas]>
G=
ood luck!
<=
![if =
!supportEmptyParas]>
<=
span
style=3D'mso-tab-count:1'> &nbs=
p; David
Fox
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D
David Fox &=
nbsp; &=
nbsp;
&=
nbsp;
Quarry Technologies &=
nbsp; &=
nbsp;
dfox@quarrytech.com
8 New England Executive Park &=
nbsp;
Direct: 781-359-5094
Burlington, Massachusetts 01803 Main: =
781-505-8300
x5094
www.quarrytech.com &=
nbsp; &=
nbsp;
FAX: =
781-505-8316
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D
=
-----Original
Message-----
From: =
jerry.wang@tumbleweed.com
[mailto:jerry.wang@tumbleweed.com]
Sent: Wednesday, January =
30, 2002
4:55 PM
To: =
ipsec@lists.tislabs.com
Subject: =
interoperability of IPSec
between solaris 8 and win2k
Hi =
all,
I am
testing the interoperability of IPSec between the native support from =
solaris 8
and win2k. It seems not possible due to the fact that solaris 8's ipsec
implementation is not full-fledged, and it only allows for manual keyed =
sa.
Also the length of the keys is dependent on the authentication and =
encryption
algorithm on solaris 8 while win2k doesn't seem to have this =
constraint.
Win2k configuration tool only allows for authentication key to be =
manually
configured, not encryption key.
So I
can't see how these two would work together. Does anyone have a similar
experiment and draw the same or opposite conclusions? =
Thanks.
------=_NextPart_000_0092_01C1AB14.779E4040-- From owner-ipsec@lists.tislabs.com Fri Feb 1 12:30:37 2002 Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g11KUa316105; Fri, 1 Feb 2002 12:30:36 -0800 (PST) Received: by lists.tislabs.com (8.9.1/8.9.1) id OAA27204 Fri, 1 Feb 2002 14:35:40 -0500 (EST) From: "Andrew Wenlang Zhu"From:=20 dfox@quarrytech.comCc: ipsec@lists.tislabs.com =Sent: Friday, February 01, 2002 = 11:11=20 AMSubject: RE: interoperability = of IPSec=20 between solaris 8 and win2kJerry,
=20 That isn’t all that unusual. =20 While they may not be able to do dynamic negotiation of keys, = you=20 should still be able to verify interoperability with manual = tunnels. What you would be verifying = in this=20 case is that the IPsec encryption, AH and/or ESP, was=20 working.
=20 The “restriction” in Solaris 8 for having the key = comprised of the=20 authentication and encryption keys is not unique. I previously tested the SSR = family of=20 routers at Cabletron, which had IPsec support. That was exactly how we = specified the=20 keys. The software then = split up=20 the provided key in the correct proportions to satisfy the = authentication and=20 encryption key needs. = In that=20 case, depending on the hashing and encryption algorithms that you = choose, you=20 will need to provide a long enough key for both. In the Win2K environment, = you’ll need=20 to figure out where the split in the key is so that you can specify = them=20 separately, if that is how Win2K requires them to be=20 specified.
=20 With two different implementations, the trick is to specify the = parameters to both implementations, in their native management = environment,=20 such that they will be able to communicate. You should be able to make = it happen=20 after a little trial and error, I = suspect.
=20 I am not aware if they have been submitted for a mark from VPNC = or=20 ICSA. If they were, and = received=20 their respective mark for whatever subset they were submitted to be = tested=20 against, then they will have been tested for interoperability with the = lab’s=20 “reference set” of routers. If=20 they passed, then you’ve got your interoperability answer. ICSA is at www.icsalabs.com and VPNC is at = www.vpnc.org.
Good=20 luck!
=20 David Fox
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D= -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D
David Fox &n= bsp; &nb= sp; =20 &n= bsp;
Quarry Technologies &n= bsp; &nb= sp; =20 dfox@quarrytech.com
8 New England Executive = Park &n= bsp; =20 Direct: 781-359-5094
Burlington, Massachusetts 01803 =20 Main: 781-505-8300 x5094
www.quarrytech.com &n= bsp; &nb= sp; =20 FAX: =20 781-505-8316
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D= -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D
<= SPAN=20 class=3DEmailStyle15>
-----Original=20 Message-----
From:=20 jerry.wang@tumbleweed.com = [mailto:jerry.wang@tumbleweed.com]
Sent: Wednesday, January 30, = 2002 4:55=20 PM
To:=20 ipsec@lists.tislabs.com
Subject: interoperability of = IPSec=20 between solaris 8 and win2k
Hi=20 all,
I am=20 testing the interoperability of IPSec between the native support from = solaris=20 8 and win2k. It seems not possible due to the fact that solaris 8's = ipsec=20 implementation is not full-fledged, and it only allows for manual = keyed sa.=20 Also the length of the keys is dependent on the authentication and = encryption=20 algorithm on solaris 8 while win2k doesn't seem to have this = constraint.=20 Win2k configuration tool only allows for authentication key to be = manually configured, not encryption key.
So I=20 can't see how these two would work together. Does anyone have a = similar=20 experiment and draw the same or opposite conclusions?=20 Thanks.
Jerry,
&nb=
sp; Can’t
help you with the specifics of Solaris and Win2K as I haven’t had =
to use them,
as yet. =
&nbs=
p; When
I hear someone talk about “managing” the keys, I think of =
dynamic tunnels using
ISAKMP. I could be wrong =
but I don’t
think there is anything you have to “manage” with manual =
tunnels. You are statically going to =
pick key
values that aren’t going to change.
For simplicity in testing, you can use the same key for in-bound =
and
out-bound manual keys. =
You just
need to split them according to the requirements of the authentication =
and encryption
needs. To further =
simplify, until
you get the first tunnel running, why not try just AH or just ESP
encryption? The key =
lengths will
be smaller and you won’t have to worry about keying multiple =
protocols.
&nbs=
p; If
you don’t have the list handy, here are the key lengths required =
by the
algorithms:
-
Authentication: =
MD5
– 16 bytes
SHA-1 – 20 =
bytes
-
Encryption: &nbs=
p; DES
– 8 bytes
T=
riple-DES
– 24 bytes
If you need to use different keys, remember that the OUT-bound =
key and
SPI on one side is the IN-bound key and SPI on the other =
side.
Maybe someone else can chime in with specifics on the two
implementations?
Good luck!
&nbs=
p; David
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D
David Fox &=
nbsp; &=
nbsp;
&=
nbsp;
Quarry Technologies &=
nbsp; &=
nbsp;
dfox@quarrytech.com
8 New England Executive =
Park &=
nbsp;
Direct: 781-359-5094
Burlington, Massachusetts 01803 Main: =
781-505-8300
x5094
www.quarrytech.com &=
nbsp; &=
nbsp;
FAX: =
781-505-8316
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D
=
<=
![if =
!supportEmptyParas]>
-----Original
Message-----
From: Jerry Wang
[mailto:jerry.wang@tumbleweed.com]
Sent: Friday, February =
01, 2002
11:35 AM
To: =
dfox@quarrytech.com
Cc: =
ipsec@lists.tislabs.com
Subject: Re: =
interoperability of
IPSec between solaris 8 and win2k
Thanks.
I tried to figure out how solaris and win2k managed the keys so that I =
could
make them compatible at the configuration level (not the user interface =
level)
by supplying carefully picked keys. So far I haven't gotten any =
luck.
Jerry
-----
Original Message -----
Sent:
Friday, February 01, 2002 11:11 AM
Subject: RE: interoperability of IPSec between solaris 8 and =
win2k
Jerry,
&nbs=
p; That
isn’t all that unusual. =
While they
may not be able to do dynamic negotiation of keys, you should still be =
able to
verify interoperability with manual tunnels. What you would be verifying in this case is that the =
IPsec
encryption, AH and/or ESP, was =
working.
&nbs=
p; The
“restriction” in Solaris 8 for having the key comprised of =
the authentication
and encryption keys is not unique.
I previously tested the SSR family of routers at Cabletron, =
which had
IPsec support. That was =
exactly
how we specified the keys. =
The
software then split up the provided key in the correct proportions to =
satisfy
the authentication and encryption key needs. In that case, depending on the hashing and =
encryption
algorithms that you choose, you will need to provide a long enough key =
for
both. In the Win2K =
environment,
you’ll need to figure out where the split in the key is so that =
you can specify
them separately, if that is how Win2K requires them to be =
specified.
&nbs=
p; With
two different implementations, the trick is to specify the parameters =
to both
implementations, in their native management environment, such that they =
will be
able to communicate. You =
should be
able to make it happen after a little trial and error, I =
suspect.
&nbs=
p; I
am not aware if they have been submitted for a mark from VPNC or =
ICSA. If they were, and received =
their
respective mark for whatever subset they were submitted to be tested =
against,
then they will have been tested for interoperability with the =
lab’s “reference
set” of routers. =
If they passed,
then you’ve got your interoperability answer. ICSA is at www.icsalabs.com
and VPNC is at www.vpnc.org. =
Good luck!
&nbs=
p; David
Fox
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D
David Fox &=
nbsp; &=
nbsp; &=
nbsp;
Quarry
Technologies &=
nbsp; &=
nbsp;
dfox@quarrytech.com
8 =
New England
Executive Park =
Direct:
781-359-5094
Burlington,
Massachusetts 01803
Main: 781-505-8300 x5094
www.quarrytech.com &=
nbsp; &=
nbsp;
FAX: =
781-505-8316
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D
-----Original Message-----
From: =
jerry.wang@tumbleweed.com
[mailto:jerry.wang@tumbleweed.com]
Sent: Wednesday, January =
30, 2002
4:55 PM
To: =
ipsec@lists.tislabs.com
Subject: =
interoperability of IPSec
between solaris 8 and win2k
Hi all,
I am testing the interoperability of IPSec between the =
native
support from solaris 8 and win2k. It seems not possible due to the fact =
that
solaris 8's ipsec implementation is not full-fledged, and it only =
allows for
manual keyed sa. Also the length of the keys is dependent on the =
authentication
and encryption algorithm on solaris 8 while win2k doesn't seem to =
have
this constraint. Win2k configuration tool only allows for =
authentication
key to be manually configured, not encryption key. =
So I can't see how these two would work together. Does =
anyone have
a similar experiment and draw the same or opposite conclusions? =
Thanks.
Additionally, some new Oakley groups should be = identified at the same time. Some of those will undoubtly have to be = ECDH groups in order to reasonably support 256 bit keys (anyone want to = deal with 15K bit Oakley groups?)
-----Original Message-----
From: Andrew Wenlang Zhu [mailto:Andrew_zhu@hp.com]
Sent: Friday, February 01, 2002 2:46 PM
To: ipsec@lists.tislabs.com
Subject: What is the standardization status of AES =
in IPSec?
Hello:
Can any one give me an update on the standardization =
status of using AES in
IPSec?
I am reading "The AES Cipher Algorithm and Its Use =
With IPsec"
<draft-ietf-ipsec-ciph-aes-cbc-03.txt> and =
read " Once NIST has published
the AES FIPS ... AES should become a default and =
mandatory-to-implement
cipher algorithm for IPSec".
FIPS-197 was out in Nov-2001. When an IPSec/AES RFC = is expected to come out?
Thanks,
---------------------------------------
Andrew Zhu
HP Systems Networking Solution Lab
IP Security & System Firewall Project
Andrew_zhu@hp.com
Forgive the intrusion of this thought, but those of = us working commercially have to ask: would use of AES 128 without 128 = bits of entropy have any FIPS implications? FIPS 197 doesn't mandate = (from what I can tell) 128 bits of entropy for 128 bit key AES, but is = there another FIPS document that would imply that x bit keys require x = bit of entropy?
Additionally, it makes me a bit uneasy to not use 128 = bits of entropy here. I believe AES with 128 bit keys carries the idea = of 128 bits of entropy to the uneducated and lesser educated, even if = they don't understand entropy and all the other concepts = involved.
mark
-----Original Message-----
From: Jari Arkko [mailto:jari.arkko@kolumbus.fi=
]
Sent: Sunday, February 03, 2002 1:43 AM
To: Hilarie Orman, Purple Streak Development;
Mark.Winstead@NetOctave.com
Cc: ipsec@lists.tislabs.com
Subject: Re: What is the standardization status of =
AES in IPSec?
> I'm curious as to how many people believe that a =
MUST for a 128-bit AES
> key means a MUST for 128 bits of entropy in the =
key.
I don't. While I believe we should move to AES as =
soon as possible, I
don't necessarily believe in the statement that all =
components of the
protocol set must be equally strong; you should be =
able to take advantage
of a new good algorithm even if you can't for e.g. =
computational reasons
increase Diffie-Hellman key lengths quite as =
much.
Thus, I believe we should standardize groups matching =
AES strength,
but not make them mandatory. And we need to explain =
the strength
issues somewhere.
Jari
Well not a Verisign site, you can get test certificates from Entrust at:
Greg Carter - http://www.carter-engineering.com
Entrust Inc - http://www.entrust.com
-----Original Message-----
From: bhargavi [mailto:bhargavi@austin.ibm.com]
Sent: Tuesday, February 05, 2002 12:03 PM
To: ipsec@lists.tislabs.com
Subject: Certificates from Verisign
Hi!
Can anyone tell me how to request for a personal certificate and a CA
Certificate from Verisign. I need to do some testing in signature mode
of authentication. I could not locate it on the Verisign website...
verisign.com.