IETF Logo Mail Archive

Re: doi-07/interoperability questions

Ben Rogers <ben@Ascend.COM> Tue, 10 March 1998 19:29 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id OAA11763 for ipsec-outgoing; Tue, 10 Mar 1998 14:29:01 -0500 (EST)
Date: Tue, 10 Mar 1998 14:41:39 -0500
Message-Id: <199803101941.OAA08443@carp.morningstar.com>
From: Ben Rogers <ben@Ascend.COM>
To: "Derrell D. Piper" <ddp@network-alchemy.com>
Cc: ipsec@tis.com
Subject: Re: doi-07/interoperability questions
In-Reply-To: <199803101927.LAA06845@drawbridge.ascend.com>
References: <199803101550.KAA08137@carp.morningstar.com> <199803101927.LAA06845@drawbridge.ascend.com>
Reply-To: ben@Ascend.COM
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

Derrell D. Piper writes:
> Ben,
> 
> >At the bakeoff, we ran into the small problem of some recent changes to
> >the DOI document which caused many machines to be un-interoperable.
> 
> The change to use an attribute to fully identify the appropriate AH transform
> occured in the Version 3 DOI, which was submitted to the ID on July 31, 1997.
> That was eight months and four drafts ago.  I'm sorry you missed it.  It's
> release might simply predate your participation on this list.
>
> I think your characterization of this change as being both unexpected and
> recent is at odds with the facts.  I also think your assertion that "very few
> vendors had actually implemented this" is grossly inaccurate as well.

I'm not complaining about the current draft.  In fact, I have
implemented it.  However, I found that sending either an AH-MD5 or an
AH-SHA1 with the corresponding HMAC-MD5 or HMAC-SHA1 attribute was
not accepted by many implementations, and only 3 or 4 others actually
sent these transform payloads with the correct auth attribute.

Perhaps I just had bad luck with the people I tried to interoperate
with.


ben

v2.30.2 | Report a Bug | By Email | System Status