Other IKE implementations with GSSAPI support?

Jason R Thorpe <thorpej@zembu.com> Thu, 14 December 2000 10:48 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id CAA27639; Thu, 14 Dec 2000 02:48:24 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id EAA08638 Thu, 14 Dec 2000 04:12:05 -0500 (EST)
Date: Wed, 13 Dec 2000 11:10:25 -0800
From: Jason R Thorpe <thorpej@zembu.com>
To: ipsec@lists.tislabs.com
Subject: Other IKE implementations with GSSAPI support?
Message-ID: <20001213111025.D2350@dr-evil.49thietf.org>
Reply-To: thorpej@zembu.com
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Organization: Zembu Labs, Inc.
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

We (KAME/Wasabi Systems/Zembu Labs) have implemented the GSSAPI auth
method for IKE described in draft-ietf-ipsec-isakmp-gss-auth-06.txt
in the KAME "racoon" IKE daemon, using the KTH Heimdal Kerberos 5
GSSAPI implementation.  The code is available from the KAME CVS
repository via anoncvs (the ink is still wet, so it's not yet in any
of the KAME snapshot kits).

We're interested in any feedback as to interoperability with other IKE
implementations implementing the draft.  Actually, we're interested in
just knowing with other IKE implementations implement the draft, as well.
>From the wording of the draft, I would assume that some recent, but
probably not publically available, Win2k IKE supports it...  In the
KAME IKE, there is some concern as to Win2k interoperability, as Win2k
is using unicode strings (the byte-order of which is not clearly defined
in the draft, BTW) for the GSSAPI endpoint names, and there is some
question as to whether or not Kerberos libraries are going to accept them.

Shar and enjoy.

-- 
        -- Jason R. Thorpe <thorpej@zembu.com>