brian dell wrote: > > would it be correct to say that an IKE implementation > is ipsec compliant.
Deja vu? No. Just because you use IKE does not mean that you are doing IPsec. IKE can be used for exchanging keying materials for other protocols if you want. Also, you do not need to use IKE to exchange keying materials to do IPsec. To quote RFC2401, This document requires support for both manual and automatic distribution of keys. It specifies a specific public-key based approach (IKE -- [MSST97, Orm97, HC98]) for automatic key management, but other automated key distribution techniques MAY be used. For example, KDC-based systems such as Kerberos and other public-key systems such as SKIP could be employed. > ie if a vpn tunnel is using IKE implementation then > one could say that the tunnel is ipsec compliant ? IKE doesn't do tunneling. IKE is the Internet Key Exchange protocol. ESP and AH are the actual protocols used to tunnel traffic. However, the mere fact that the packets on the wire are ESP or AH packets _still_ does not necessarily imply that you are _really_ doing IPsec. True IPsec makes requirement about how SAs are tracked and other things that only exist in the "internal state" of the software. Some are easy to test in black box testing, some are difficult if not impossible to test. > if not what are the additional protocols or > implementations required to make the tunnel ipsec > compliant ? You might want to browse RFC2401 or at least read the introductory sections to get an overview of what IPsec really is. -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications (408) 933-4387 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [EMAIL PROTECTED] ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
