[IPsec] INSIDE Secure answers to RFC 5996 and 3948 questionnaires
Joonas Pylkkanen <jpylkkanen@insidesecure.com> Fri, 14 March 2014 10:48 UTC
Return-Path: <jpylkkanen@insidesecure.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F7321A0115 for <ipsec@ietfa.amsl.com>; Fri, 14 Mar 2014 03:48:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Td_OM1QlLhgd for <ipsec@ietfa.amsl.com>; Fri, 14 Mar 2014 03:48:14 -0700 (PDT)
Received: from mail.insidefr.com (mx2.insidefr.com [109.26.158.114]) by ietfa.amsl.com (Postfix) with ESMTP id 279711A011F for <IPsec@ietf.org>; Fri, 14 Mar 2014 03:48:05 -0700 (PDT)
Received: from mail.insidefr.com (unknown [10.159.145.201]) by mail.insidefr.com (Postfix) with ESMTP id BB01D702FE for <IPsec@ietf.org>; Fri, 14 Mar 2014 11:48:12 +0100 (CET)
Received: from garlaban.insidefr.com ([10.159.145.201]) by garlaban.insidefr.com ([10.159.145.201]) with mapi; Fri, 14 Mar 2014 11:47:58 +0100
From: Joonas Pylkkanen <jpylkkanen@insidesecure.com>
To: "IPsec@ietf.org" <IPsec@ietf.org>
Date: Fri, 14 Mar 2014 11:47:57 +0100
Thread-Topic: INSIDE Secure answers to RFC 5996 and 3948 questionnaires
Thread-Index: Ac8ecwd4OyzSDi/4QZiw0eFVD28mIgg/7nDQ
Message-ID: <64F7B34BFE23834EA992CE91ABC59C521B5DB34BDF@garlaban.insidefr.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-tm-as-product-ver: SMEX-10.0.0.1412-7.000.1014-20538.005
x-tm-as-result: No--54.963300-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/related; boundary="_004_64F7B34BFE23834EA992CE91ABC59C521B5DB34BDFgarlabaninsid_"; type="multipart/alternative"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/hRYjlMBxksofcFcNpn0I07ZfNgE
X-Mailman-Approved-At: Fri, 14 Mar 2014 09:11:08 -0700
Subject: [IPsec] INSIDE Secure answers to RFC 5996 and 3948 questionnaires
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Mar 2014 10:50:20 -0000
Dear audience, Here is presented INSIDE Secure QuickSec IPsec toolkit and QuickSec VPNClient answers to RFC 5996 and RFC 3948 questionnaires: Answers to RFC5996 questionnaire: --------------------------------- - Which of the IKEv2 exchanges you support: - IKE_SA_INIT (includes support for SA, KE, Ni, Nr payloads) All implemented and fully supported by QuickSec family of products. - IKE_AUTH (includes support for SK, IDi, IDr, AUTH, TSi, TSr payloads) All implemented and fully supported by QuickSec family of products. - CREATE_CHILD_SA Supported by QuickSec family of products. - INFORMATIONAL Supported by QuickSec family of products. - Which of the IKEv2 payloads your implementation supports - CERT Certificate - CERTREQ Certificate Request - CP Configuration - D Delete - EAP Extensible Authentication - N Notify - V Vendor ID All above are supported by QuickSec family of products. - Which of the following processing semantics does your implementation support (y/n): - Can your implementation create a new child SAs with the CREATE_CHILD_SA exchange?: Yes, supported by QuickSec family of products. - Can your implementation rekey an IKE SAs with the CREATE_CHILD_SA Exchange?: Yes, supported by QuickSec family of products. - Can your implementation rekey a Child SAs with the CREATE_CHILD_SA Exchange?: Yes, supported by QuickSec family of products. - Does your implementation support the INFORMATIONAL exchange? Yes, supported by QuickSec family of products. - Which of the IKEv2 authentication methods you support - PKIX Certificates as specified in section 4 - Shared key authentication as specified in section 4 - Mixed authentication, where responder uses Certificates and initiator uses shared key All above are supported by QuickSec family of products. -- Which of the usage scenarios does your implementation support (s1.1.1, s1.1.2, and s1.1.3): All scenarios supported by QuickSec family of products. - What evidence do you have that your implementation can interoperate with other implementations? INSIDE Secure has always participated IPsec interoperability events, as well, our QA for our implementation has extensive interoperability tests using other vendor products. - In your opinion, are there unused features in the RFC that greatly increase implementation complexity? No - Errata was filed against RFC 5996 and has been included in https://datatracker.ietf.org/doc/draft-kivinen-ipsecme-ikev2-rfc5996bis/; are any of the incorporated errata problematic for your implementation? No Answers to RFC3948 questionnaire: --------------------------------- Here's a proposed set of question for RFC 3948 implementers: The following questions document whether your implementation supports the syntax and semantics of the protocol: - Which of the following packet formats does your implementation support: - UDP-Encapsulated ESP Header Format (y/n): Y: Supported by QuickSec family of products. - IKE Header Format for Port 4500 (y/n): Y: Supported by QuickSec family of products. - NAT-Keepalive Packet Format (y/n): Y: Supported by QuickSec family of products. - Which of the following encapsulation and decapsulation processing rules does your implementation support: - Auxiliary Processing - Tunnel Mode Decapsulation NAT Procedure (y/n): Y: Supported by QuickSec family of products. - Transport Mode Decapsulation NAT Procedure (y/n): Y: Supported by QuickSec family of products. - Transport Mode ESP Encapsulation (y/n): Y: Supported by QuickSec family of products. - Transport Mode ESP Decapsulation (y/n): Y: Supported by QuickSec family of products. - Tunnel Mode ESP Encapsulation (y/n): Y: Supported by QuickSec family of products. - Tunnel Mode ESP Decapsulation (y/n): Y: Supported by QuickSec family of products. - Does your implementation support the NAT keepalive procedure? (y/n): Y: Supported by QuickSec family of products. The following questions document whether interoperability has been achieved as well as other intangibles the IESG will be interested. - What evidence do you have that your implementation can interoperate with other implementations? INSIDE Secure has always participated IPsec interoperability events, as well, our QA for our implementation has extensive interoperability tests using other vendor products. - In your opinion, are there unused features in the RFC that greatly increase implementation complexity? No Additional information (optional): Best Regards, [cid:image001.jpg@01CF1B76.D3DF4770] Joonas Pylkkänen Director R&D, Embedded Security Solutions INSIDE Secure JPylkkanen@INSIDESecure.com<mailto:JPylkkanen@INSIDESecure.com>
- [IPsec] INSIDE Secure answers to RFC 5996 and 394… Joonas Pylkkanen