On Mon, 12 Feb 2001, Ben Nagy wrote:
> > My experience with IPSec is that it tends to not work well with other
> > implementations. I have heard of too many cases where verious
> > implementations do not negotiate well with other implementations.
> > Hopefully these will get hammered out, but they are still a
> > problem. (This
> > was a year or so ago. It may have improved since them.)
>
> Interop issues are the least of my worries. I'm waiting for someone to screw
> up the crypto ("Hey, it would save cycles if we just used a timestamp as
> this "IV" thingy, wouldn't it?").
Warning: almost a commercial here:
ICSA Labs, a division of TruSecure (my employer) certifies IPSec
implementations for interoperability as well as security. There's more
crypto testing than there is in FIPS 140, and as far as I understand,
they've found Initialization Vector problems before, so if it's on the Web
page as certified, then it does not have IV problems.
The main page for IPSec is at:
http://www.icsalabs.com/html/communities/ipsec/index.shtml
If you click through to the criteria, you'll see a specific requirement
for Random IVs. The IPSec Lab people really know their stuff and the
level of testing is as good as it gets black-box.
And interop issues are the most common ones as far as my understaning
goes.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
