Redmond Bakeoff Summary Report (long) - TXT

[William Dixon <wdixon@microsoft.com>]

IPSec Interoperability Workshop Aug 31st- Sept 3 1998
Summary Report

Location: Microsoft Campus, Redmond WA
Attending: 60 people, 19 companies.
		Axent/Raptor, Cisco IOS, Checkpoint, Intel, HiFn, Interlink,
IRE, Microsoft NT5, Netscreen, Redcreek, SSH, Timestep, Worldcom/ANS, IRE,
Free SWAN
		Verisign, Entrust, Worldcom Advanced Networks - James
Matheke, Digital Signature Trust Company, Microsoft PKI & Directory reps
		L2TP/IPSec: Microsoft NT5 and Cisco IOS

Handouts:
(I will get these on a public web site ASAP.  Stay tuned for pointer)

Network Configuration Tear Sheet - network topology explanation & diagram
Testing Matrix: had 43 options * (transport + tunnel) * (initial + rekey) =
172 tests.
Rodney Thayer's draft IPSec certificate profile
IPSec Rekeying Issues powerpoint slides, by Tim Jenkins of Timestep
Working copy of Draft-ietf-ipsec-ldap-schema.txt
Powerpoint slides presented at IETF Policy BOF explaining
draft-ietf-ipsec-ldap-schema.txt
Microsoft Directory Enabled Networking Powerpoint slides by Steve Judd
Microsoft Public Key Infrastructure Powerpoint slides by Rick Johnson
Windows NT5.0 Beta2 walkthrough guide for creating IPSec policy


Debriefing Survey
=================
On Wed and Thursday, I surveyed 8 companies with the following questions,
saying that I would compile a list of responses without indicating vendors
and post the compiled report to the IETF IPSec mailing list.  Here are the
results.  I have attempted to reduce duplication by indicating in
parentheses how many of the respondants indicated a similar response, eg (4)
means 4 out of 8 vendors.  There is no priority or ordering on these
listings, other than popular reponses appear first.

What did you fix?
===========================================================
Policy mgmt bugs. Modification on end-to-end policy configuration (3)
Fragmentation on large packet (2)
Vendor id payload support
3DES key generation
Multiple MM proposals are not draft compliant
Initial contact handling
Additional padding that expands payload in IKE MM
Construction of id payload of type ID FQDN and ID USER NAME during RSA
Signatures
Fixed the parsing of pulling out the SubjectAltName out of the cert.
Problems handling multiple proposals
Problems handling the payload when 2 lifetypes were being sent, for example
seconds and bytes.
Better understanding of what is in main mode
Circular cert chain signature handling
Draft change to support initial contact
Make sure that if peer sends back invalid ids, that they do not overwrite
the initiators ids 
Ignore empty cert request payload
Wrong checksum in inner payload header.  Other implementations were not
checking
Empty payload of cert caused AV
Cert signed circular chain handling
ISAKMP config mode- hashing incorrectly
RSA encryption mode- not encrypting all that we should
AH + ESP negotiated for tunnel mode
Nothing
If we didn't receive proxy IDs during QM when negotiating transport mode, we
would fail. Most vendors don't send these. IOS and NT do this to support
protocol and port based filters. We need to add a test case to do this
regularly.
If we did not receive the encapsulation attribute, we would send it back. 
Wrongly padding  the Oakley header length to 4 byte boundaries
Bug found in test tools
Where and HOW to encode v3 extensions in PKCS10 requests.  Mostly due to how
old BCERT toolkits used to do it which is not what RSA actually spec'd.

What did you not fix - what still needs to be worked on?
=========================================================
PKI usage: Cert subject altname comparison with MM id payload, Certificate
chain processing, CRL support, Cross-certification, DN in certs, Every (CA?)
vendor had different cert request format (5)
Using DSS/DSA - only supported by HiFn, CA vendors MS & Entrust & GTE (2)
Fragmented TCP packets failing auth checks
Need to send deletes for all of the SPIs when doing an AND proposal
Initiating SAs
Commit bit handling
Rekey issues: Initiator switching to responder because original responder
hit lifetime timeout first and visa-versa.
Responder changing attributes in transform.
The PKCS10 requests with v3 extensions.  Currently MS puts then in a
proprietary attribute (said they would change), the 'standard' attribute to
put them in is the rsaExtensionsAttribute, however RSA BCERT and TIPEM
toolkits add an extra level of encoding and encode the sequence of extension
as a T61String which is NOT the documented format.  The cure is to have CA
vendors try to decode from both and have all new clients only do
rsaExtensionsAttribute as Seq of Ext.

What are the open IPSec design issues?
========================================================
PKI usage, cert formats, CA enrollment, deployment model for cert-based
trust, supporting CRLs, supporting cert request payload (5)
Peer Recovery, stale/Inactive SAs which linger when peer has lost state.
Orphaned phase2 SA. This can be due to a missed delete (since deletes are
not reliable) or a system crash of a peer (4)
ISAKMP header not authenticated. Initial contact & all notifications are not
authenticated (4)
Commit bit. Since it is unauthenticated if it is present in the IKE header.
Is it still a MUST? (2)
Version#s not authenticated in IKE header
Common policy configuration & distribution for multiple vendor devices that
a single manager can use.
Mobile clients - preshared key per user?  Lose identity protection with
aggressive mode
Rekey mechanism that doesn't lose traffic by design
When tunneling traffic, do you reassemble packet first, then filter, then
forward to tunnel?
Configuration problems, ISAKMP config needs further work
Support in drafts for authentication method per selector conflicts with
using MM with QM.  Applications can't use their own trust system for their
traffic - must be manually configured out-of-band between machines (IP
addresses).  This is why MM with QM protection is abandoned by vendors in
favor of aggressive mode, so that QM parameters, and also identities, can be
known first to succeed with authentication.
Race conditions when have multiple SAs to same box from one source, rekeying
MM over multiple QM
Multiple QM proposals
How to get tunnels set up
Mismatch filters in policy.  When initiator should propose both the full
filter breadth, as well as the specific packet protocol type/ports to the
responder, so the responder can pick the widest clean match.
Need some kind of model for using SNMP MIB for reporting and management of
IPSec enabled devices.
Think IKE is open to denial of service attack because anyone can provoke DH
computation in MM. Should only create state when get cookie back to reduce
denial of service.
IKE over non-IP
Disagreement on how AH with ESP in transport or tunnel mode should be
expressed in policy, negotiated, or have their separate SAs managed
Need full client-side configuration to support simultaneous tunnels from one
client to different gateways
Need "Credential Request Payload" more general than just certificate request
payload, to support retry for authentication when both systems participate
in multiple trust models.

What are the open IPSec interop issues? If products shipped today, what
problems would customers encounter with multiple IPSec products?
================================================================
Policy expression, configuration for interop (5)
Peer recovery of SAs, with mobile users, between two gateways (2)
US export IPSec interop- no support at all in drafts for what products have
to implement for ESP. Custom DH group for export not supported in drafts (2)
Understanding why proposals failed- Error messages to detail why proposal
not chosen (Michael Richardson going to collect error codes & messages from
vendors)
Multiple proposals for export not supported
Policy distribution
Client interop because clients haven't been tested much, mostly GW/FW
Real world application usage/admin, where systems are taken up/down, address
changes, etc.
Biggest challenge is to cover all aspects/combinations
Hard to balance tolerance of variance among IPSec implementations which is
necessary for interop with strictness of checks to fulfill security and
draft requirements.
Scalability
Some/many vendors not installing SA parameters which were negotiated, using
what filter policy specified.
Cert encoding for CRP, most people understand X.509
Key usage flags in cert, what you expect to get back for generic or specific
for data encryperment. Maybe define another type of cert field encoding,
have 1-9, need 10.
How to process Subject Altname
Nobody else is doing encrypted nonces
Enforcing check that traffic sent through IPSec format matches filter which
was negotiated.  This must be agreed upon by other vendors.  Not covering
this in bakeoff testing because people mostly ping and ftp test, not
multi-protocol  or multi-port through same SA.
Having certificate storage and key signing operations on smartcards, where
they don't provide a signature without the OID
What was good about the bakeoff?
=========================================================
Small size, good working time (4)
Organized well (2)
Providing PCs, cables (2)
Beer (2)
Having a preplanned test matrix
Having several CA vendors, ability to discuss and try CRLs, different certs
Plenty of space, good friendly atmosphere. Microsoft people being very
helpful
Timing was good
The network was setup when we got there.
More than one network allocated for each vendor to allow gateway testing

What wasn't so good about bakeoff?
========================================================
Had to reconfigure because test net was not on Internet which for many
caused a reboot. Only really need 4-5 class C addresses with preplanned
private net space.  Should have DHCP on external net.  NAT from private to
public wouldn't work using IPSec, of course, because using IPSec to get back
home to company net. (3)
Power failure Monday morning (2)
Internet access via ISDN 128Kb was very slow (2)
Didn't seem that anyone could cover the test matrix with another vendor even
50%.
Everyone still ping testing, not real traffic, limited ftp transfers for
those who tried rekeying
No T-shirts
Clients were not really tested, mostly vendor's gateway/Firewall products.
Not testing CRLs, not testing cert expirations
Hard to understand why two systems would not interoperate
Need phones at each station
Network addressing plan was hard to read and understand what is needed.
Need picture of topology.
Impossible to design comprehensive test matrix, don't have time in a bakeoff
to test all of these
No time to get into real situation test
Test matrix too confusing.  Rather see list of topologies with spec of "to
reach my network do this MM proposal and these different policies for telnet
and http"

For next bakeoff at IBM, what should be done?
========================================================
Test rekey in each direction under stress (4).  Use FTP for this.
Huge payload to test fragmentation & reassembly in IPSec ESP, AH under load
(2)
Seat vendors together who more advanced in their IPSEC/IKE implementations.
Otherwise it will be n-X-n testing matrix which is impossible with 60
vendors present.
Post test matrix to the IPSec list before the event to get comments on it's
completeness
Make sure real world topology is tested: static IP client -> GW -- internal
net -- servers on PCs
ICSA should say more about rekeying issues, or allow vendors out of their
NDA signed during certification testing to discuss rekeying issues
Not relying on non-mandatory messages
Peer recovery testing
Negotiating and maintaining many SAs
Need next NT5.0 post-beta2 release to test with
Need denial of service and IPSec knowlegable attack tests
Need a complete implementation of all IPSec capabilities to test against,
Need an attacker box to test against
All CA vendors should support Subject Altname
Need telephone at desk
Need vendors capabilities listed and what they want to test in advance
Test nested tunnels
Test transport over tunnel mode
Test random IP addresses to simulate mobility
Have bakeoff at the same place where you stay, in hotel
Attack testing

End of Report