Wednesday, November 30, 2005

ISAKMP: The standard for incompatibility

Peter Gutman wrote a great summary of the lengths that many have to go to in order to get ISAKMP implementations to interoperate.

I had a hell of a time trying to get Windows 2000/XP IPSec to work with FreeS/WAN in the past. It was very difficult to debug what was going on and I resorted to using tools that translated FreeS/WAN configuration into Windows IPSec configuration so that I was sure that the settings were correct.

>On Sat, 19 Nov 2005, Peter Gutmann wrote:
>>- The remaining user base replaced it with on-demand access to network
>> engineers who come in and set up their hardware and/or software for
them and
>> hand-carry the keys from one endpoint to the other.
>> I guess that's one key management model that the designers never
>> anticipated... I wonder what a good name for this would be,
something better
>> than the obvious "sneakernet keying"?
>Actually this is a good thing.

Unless you're the one paying someone $200/hour for it.

>Separation of the key distribution channel from the flow of traffic
>under those keys. Making key distribution require human

Somehow I suspect that this (making it so unworkable that you have to
carry configuration data from A to B) wasn't the intention of the IKE
designers :-). It's not just the keying data though, it's all
information. One networking guy spent some time over dinner recently
describing how, when he has to set up an IPsec tunnel where the
aren't using completely identical hardware, he uses a hacked version of
OpenSWAN with extra diagnostics enabled to see what side A is sending in
IKE handshake, then configures side B to match what A wants. Once
done, he calls A and has a password/key read out over the phone to set
up for


No comments:

Post a Comment