In the past, VPNC also tested for IPsec conformance. VPNC's conformance logos indicate VPNC's belief that a product conforms to various parts of the IPsec standards. The VPNC conformance test program issued its first logos in July, 2000, and ended the program in January, 2004.
The Basic Conformance test consists of the member's product initiating an IPsec ESP tunnel to each of the two test gateways. The tunnel requires TripleDES for encryption, SHA-1 for hash, 1024-bit key exchange, and a preshared secret for authentication. As the term "Basic" implies, every IPsec implementation shipped today should have these features and should conform to the IPsec standards with these options.
The products from VPNC members that have passed the Basic Conformance test are:
Full details of the Basic Conformance test include the technical specification of the steps needed to pass, as well as the debugging logs of the tests themselves.
The Rekeying Conformance test consists of setting up the same type of IPsec tunnel as is required for the Basic Conformance test, and then automatically rekeying the Phase 2 SA when it is needed. The Phase 2 SAs must also use perfect forward secrecy (usually called "PFS"). The tester must access a web server behind the test gateway before the rekeying and after the rekeying. As with the Basic test, this must be done on two test gateways.
The products from VPNC members that have passed the Rekeying Conformance test are:
Full details of the Rekeying Conformance test include the technical specification of the steps needed to pass, as well as the debugging logs of the tests themselves.
The Certificates Conformance test consists of setting up the same type of IPsec tunnel as is required for the Basic Conformance test, but using PKIX certificates instead of a pre-shared key for identification. The certificate is checked against the VPNC root certificate and the identity used is also checked. The tester must access a web server behind the test gateway. As with the Basic test, this must be done on two test gateways.
The products from VPNC members that have passed the Certificate Conformance test are:
Full details of the Certificate Conformance test include the technical specification of the steps needed to pass, as well as the debugging logs of the tests themselves.
It is important to note that the conformance tests do not test for interoperability. VPNC's conformance logos indicate that the product that got the logo was tested against two different servers, and it passed the test on each server. Thus, the logo indicates that the product interoperates with the servers against which they were tested, but not necessarily with other products that have the same logo.
Although knowing which products conform to the IPsec standards is important, end users need to know which products interoperate in order to make buying decisions. That is the reason that VPNC also has Interoperability logos. As the IPsec industry has found, however, defining and testing interoperability is incredibly tricky. In the past few years, VPNC members have found problems such as:
The VPNC interoperability tests cannot deal with all possible interoperability scenarios. Instead, they focus on the most common real-world scenarios and show how users can recreate the interoperability themselves.
The VPNC conformance test is based on open-source IPsec systems. The reason for testing against open source systems instead of commercial products is to give VPNC members and the people evaluating the conformance logos the ability to see exactly how the tests were done. The two systems used to test for conformance are OpenBSD and KAME. VPNC works with the developers of both of these systems to fix bugs found during the VPNC conformance program and to ensure that the test systems in fact meet the standards themselves.
If you have comments or questions about VPNC's testing, please feel free to send them to Paul Hoffman, VPNC's director, at paul.hoffman@vpnc.org.
