Welcome to the latest issue of the VPNC Update. We hope you find the news in this issue valuable.
May was a busy month for VPNC's IPsec testing. We had three new systems receive Basic Interoperability logos, and two systems that already had logos have their systems fully retested after they had significant upgrades. This means that a total of 37 systems are interoperating in the VPNC test lab, and we expect to be adding more next month as well.
This month, three systems from two VPNC members received logos for IPsec Basic Interoperability:
Also this month, two members who had significant upgrades to their base software retested for their IPsec Basic Interoperability and IPsec AES Interoperability logos:
See the VPNC testing page for full lists of all the VPNC members' products which have proven interoperability.
ADTRAN
ADTRAN Captures #2 Position in SMB Router Market
AEP Networks
AEP Networks To Acquire V-ONE Corporation in Major Push on
Public-Sector VPN Market
AEP Networks
AEP Networks Unveils High-Performance SSL VPN at Aggressive Price Point
Check Point
Check Point Unveils Unified Security Architecture with New NGX Platform
Cisco
Cisco Unveils New Multi-Function Appliance Family for Adaptive Threat Defense
Encore Networks
Advantage Telcom To Distribute Encore Networks IP+Legacy VPN Network
Access Products
F5
F5's FirePass Controller Leads the SSL VPN Market in Japan
F5
NTT Communications Expands Its Managed Service Offering with F5
Networks' FirePass SSL VPN Product
Jungo
Jungo Launches the Industry's First Complete Software Platform for
Small / Medium Business Gateways
Juniper
Juniper Networks Wins Three Network Computing Magazine Awards
SafeNet
AMCC Selects SafeNet Security Technology for PowerPC Processors
ServGate
ServGate Systems Secure Dashang Group, Chinese Holding Company with 120
Retail Superstores
Whale Communications
Whale wins SC Magazine European Excellence Award for Best
Security Solution for Government
Whale Communications
Sumitomo Mitsui Banking Corporation Selects Whale's SSL VPN to Provide Secure
Remote Access to Key Financial Applications
When IKE version 1 was standardized six and a half years ago, the world of cryptography was quite different than it is today. During this time, some of the algorithms specified in RFC 2409 have been supplanted, while others have simply been ignored. IPsec VPN vendors who wanted to follow the standard to the letter had to keep implementing these algorithms, even if they wanted their customers to stop using them.
The discussion of the algorithms to be used in IKEv1 came to a head during the creation of IKEv2. Now, there is a new standards-track RFC that states the standards for IKEv1 algorithms. RFC 4109 is a formal update to IKEv1 that lists all of the standards-level algorithms for IKEv1. Some old algorithms have been demoted to simply being allowed, while others are now required for implementations. The following is a summary of the changes from RFC 2409 to RFC 4109:
| Algorithm | RFC 2409 | RFC 4109 |
| DES for encryption | MUST | MAY (crypto weakness) |
| TripleDES for encryption | SHOULD | MUST |
| AES-128 for encryption | N/A | SHOULD |
| MD5 for hashing and HMAC | MUST | MAY (crypto weakness) |
| SHA1 for hashing and HMAC | MUST | MUST |
| Tiger for hashing | SHOULD | MAY (lack of deployment) |
| AES-XCBC-MAC-96 for PRF | N/A | SHOULD |
| Pre-shared secrets | MUST | MUST |
| RSA with signatures | SHOULD | SHOULD |
| DSA with signatures | SHOULD | MAY (lack of deployment) |
| RSA with encryption | SHOULD | MAY (lack of deployment) |
| D-H Group 1 (768) | MUST | MAY (crypto weakness) |
| D-H Group 2 (1024) | SHOULD | MUST |
| D-H Group 14 (2048) | N/A | SHOULD |
| D-H elliptic curves | SHOULD | MAY (lack of deployment) |
All IKEv1 implementers are encouraged to upgrade their software to meet the new standard as soon as possible. In particular, implementers are encouraged to remove DES for encryption and Diffie-Hellman Group 1 from their implementations due to their well-known weaknesses, and to add AES-128 for encryption.
China MPLS 2005 Conference
Beijing / August 30-31, 2005
This region-specific MPLS conference covers all aspects of MPLS use in
China, including both MPLS VPNs and MPLS for operations and management.
The VPNC Update is a low-volume, one-way newsletter to inform people about news in the VPN industry. Subscription is open to everyone, members and non-members alike. Previous issues of the newsletter can be found here. If you have questions about the content of VPNC Update, or suggestions or information for future issues, please send them to Paul Hoffman, VPNC's director.
To subscribe to this newsletter, send a message to
vpnc-update-request@vpnc.org
with the single word
subscribe
in the body of the message. To unsubscribe, send a message to
vpnc-update-request@vpnc.org
with the single word
unsubscribe
in the body of the message.
