Related Links Reference Implementation of IKE

Packet™ Magazine Archives, Fourth Quarter 1998 IPSec's Growing Pains Are Almost Over By Roger Farnsworth Cisco strives to ensure industry-wide interoperability and scalability among IPSec implementations so that users can protect their virtual private networks (VPNs) with confidence. IP Security -- better known as the IPSec protocol -- has been undergoing interoperability and scalability challenges that are well on their way to resolution. As with any new technology, early product implementations often encompass slightly different interpretations of standard specifications. A period of fine-tuning and compatibility testing is the norm before "plug-and-play" status arrives industry-wide. It's been no different for IPSec, an Internet Engineering Task Force (IETF) draft standard for encryption and data authentication over IP-based networks. The Layer 3 scheme works in conjunction with the Internet Key Exchange (IKE), another IETF draft technology, which is a method for automatically negotiating security associations between encrypting peers. The IPSec/IKE combination holds much industry promise, because it requires no modifications to existing applications; software is simply added to the client or network infrastructure components. Cisco Smoothes Interoperability Negotiations At issue has been the fact that IKE, the Security Association (SA) negotiation protocol, is complex, and vendors of security products have each interpreted the IKE standard in their own way. They are now hard at work to iron out incremental implementation differences. To help their progress, Cisco is making its reference implementation of IKE publicly available via freeware. This effort is allowing others to tune their products to perform the negotiation function in a way that conforms to a common and widespread specification. Cisco is also licensing its IPSec implementation to makers of operating systems, modem vendors, and other Internet device manufacturers. Doing so will help speed deployment of the protocol and assure interoperability with Cisco devices. Microsoft, for example, has become a Cisco IPSec licensee and plans to incorporate the technology into its Windows NT Server 5.0 operating system. Last March, Cisco hosted a demonstration network, or "bake-off," whereby 45 companies grappling with the IPSec/IKE implementation tested their products with each others'. About 15 percent of the products interoperated at that time -- a figure that has gone up markedly as a result of the bake-off. CEP to Alleviate Scalability Challenges To ease IPSec scalability issues, Cisco has joined with digital-certificate authorities, also called "trusted third parties." Scalability has been restricted because of the difficulties associated with managing the vast number of encryption keys needed for large networks. For two points to securely exchange information using IPSec, each device must be sure of the other's identity. Traditionally, the exchange of public keys has been manual. Verification of the identity of public keyholders has taken place between every pair of sending/receiving devices; an administrator at the transmitting end physically telephones the administrator at the receiving end to verify the public keyholder's identity. To automate the verification process so that IPSec/IKE can scale, Cisco and VeriSign, Inc. -- a leading provider of digital authentication services and other forms of secure communications -- jointly developed the Certificate Enrollment Protocol (CEP). CEP specifies a common way for communicating with a certificate authority and will allow for the exchange of volumes of public keys across the Internet. VeriSign and Entrust Technologies, Inc., another certificate authority software vendor, will support the protocol so that customers can build large-scale public key infrastructures (PKIs) that include Cisco devices. IPSec Will Be Pervasive A critical component of enterprise-wide security strategies, IPSec will pop up in many places in a network. It can reside in client software for secure information exchanges between remote users and the corporate network, and it can also protect router-to-router communication. It can safeguard data exchanges between access servers and between firewalls. Many vendors, including Cisco, have installed implementations of IPSec on their products. Cisco, for example, began shipping IPSec in its IOS™ software Version 11.3(3)T in April. Cisco IPSec-supported platforms include the Cisco 1600, 2500, 2600, 3600, 4000, 4500, 7200, and 7500 series routers and AS5300 universal access servers. The PIX™ Firewall will also support IPSec in the near future. Roger Farnsworth, Cisco Systems' Manager of Security Solutions Marketing, presented the popular "Update to Cisco's Security Initiative" sessions at both 1998 US Networkers events. He also developed the framework for the eight other security sessions presented at Networkers worldwide. Reach him at rfarnswo@cisco.com. Table of Contents Posted: Thu Feb 4 17:08:57 PST 1999 Copyright © 1998 Cisco Systems, Inc.