Jan2000IPSEC_PPP_application.doc.doc

------------------------------------------------------------------------------------------------------------ Return your application via email and reserve your hotel rooms before December 15, 1999!

To Networking Product Developers:

Cisco invites you to participate in the VPN Interoperability Workshop, January 9-14, 2000, testing IPSec/IKE, L2TP, and PPP features at Paradise Point Resort in San Diego, California. The VPN Workshop combines the tenth CalBUG (formerly CIUG) PPP Interoperability Workshop and the eighth IPSec Interoperability Workshop.

The Workshop will be open to companies with products that implement any of the following protocols:

IP Security (IPSec)Internet Key Exchange (IKE)IKE-CFGIKE-XAUTHIP Payload Compression (IPComp)L2TP over Transport-Mode IPSecCompression Control Protocol (CCP) with MPPC and MPPEMS Challenge Handshake Authentication Protocol (MS CHAP) Version 2Extensible Authentication Protocol (EAP)Point to Point Tunneling Protocol (PPTP)PPP over Ethernet (PPPoE)PPP over ATML2TP over ATML2TP

The Workshop will provide an opportunity to test the interoperability of your products with products from all of the other companies attending.

The participating companies are asked to bring products that are released, at beta or near beta level for the protocols being tested.

Participants are engineering staff intimately familiar with the software and hardware that implement the capabilities being tested and are expected to have a thorough understanding of the protocols.

This Workshop will be open to only the participants. This is not a spectator event; it is not open to observers. Some participants will be working with unreleased products and the other attendees are expected to respect their privacy.

SPONSORSHIP:

Cisco is the host for the VPN Interoperability Workshop. UUNET, an MCI Worldcom Company will provide the backbone Ethernet network and access to the Internet. Madge will provide ISDN lines and CalBUG (formerly CIUG) will provide infrastructure equipment for the workshop network. Cisco will provide an ATM switch for PPPoATM and L2TPoATM testing.

SCHEDULE:

Sunday, January 9, 2000

12:00 Noon to 8:00 PM Registration and equipment set up by Participants

Monday, January 10, 2000

7:00 AM to 8:00 AM Continental Breakfast8:00 AM to 8:00 PM Testing 12:00 Noon to 1:30 PM Lunch

Tuesday, January 11, 2000

7:00 AM to 8:00 AM Continental Breakfast8:00 AM to 8:00 PM Testing12:00 Noon to 1:30 PM Lunch

Wednesday, January 12, 2000

7:00 AM to 8:00 AM Continental Breakfast8:00 AM to 8:00 PM Testing12:00 Noon to 1:30 PM Lunch4:00 PM to 5:00 PM Pizza 5:00 PM to 7:00 PM Group Meeting

Thursday, January 13, 2000

7:00 AM to 8:00 AM Continental Breakfast8:00 AM to 8:00 PM Testing12:00 Noon to 1:30 PM Lunch

Friday, January 14, 2000

7:00 AM to 8:00 AM Continental Breakfast8:00 AM to 5:00 PM Testing12:00 Noon to 1:30 PM Box Lunch3:00 PM Break Down Facility

FEES:

The charge for the Workshop is $300 per person. The fee is for the entire week and covers the cost of the meals and hotel facility. Each person attending must pay the full amount. There will be no provision for a daily rate for those not attending the entire week. Checks, wire transfers, or credit cards will be accepted. Cash payments are not available. Payment must be received in advance. Refunds will not be made for cancellations after December 15, 1999. Please fill out and return the payment form with your payment. Companies not registered will not be allowed to walk-in.

FACILITIES:

Tables and Power:

Each participating company will be provided one table, 5 Amps of power, and one power strip. Bring additional power strips if you need them. If you know your test setup will require more than 5 Amps please provide that information in advance on the application form and it will be available.

Backbone Ethernet Network:

Each participating company will be provided a single RJ-45 cable attached to the backbone Ethernet network. The backbone Ethernet network will be a set of public class C networks connected to the Internet via a router with all routes configured statically (no dynamic routing).

In the application you will be asked to specify which of the following configurations you will need and the quantity. You may request multiple configurations but you must bring your own switches/hubs and a crossover cable with an RJ-45 to RJ-45 connector to attach more than a single device to the backbone Ethernet network.

Configuration 1: A single IP address with a routed private network address.

A single IP address assigned from the backbone Ethernet network (a public class C network) and a private class C network (to be assigned) with a static route configured in the backbone router to the single IP address.

Configuration 2: A single IP address with a routed private and public network address.

A single IP address assigned from the backbone Ethernet network (a public class C network) with a private class C network (to be assigned) and a public subnetwork (/29 subnet address to be assigned) with a static route for both networks configured in the backbone router to the single IP address.

Note: You can not reach the Internet with private network addresses. If these

configurations do not satisfy your requirements, please contact James Matheke at 614-723-1525 or [email protected].

File Transfer Servers: Servers will be available for file transfers as defined in the test procedures.

CA Certificates: To arrange certificates with CA providers prior to the workshop, please go to the following for details.

Baltimore: [email protected]: http://freecerts.entrust.com/SSH (available in late December): http://isakmp-test.ssh.fi/VeriSign(contact [email protected]): https://onsite-test-fe.bbtest.net/bakeoff/

VPNC: [email protected]

ISDN Lines: BRI and PRI lines will be provided for testing from a Madge switch. The BRI lines will be provisioned as NI-1 with CSV/D on each B channel. The BRI lines may be either a U or S/T interface. If you request a PRI line, please bring a CSU and the crossover cable to terminate the T1 interface. The PRI lines will be NI-2.

Telephone Service: There will be a telephone on each table in the workshop for voice service provided by a networked PBX.

ATM Circuits: There will be an ATM switch with coax interfaces provided for testing PPP over ATM or L2TP over ATM.

SHIPPING EQUIPMENT TO SAN DIEGO PARADISE POINT RESORT IN SAN DIEGO, CALIFORNIA

Participants will be responsible for bringing workstations and network equipment. You may ship your equipment to:

San Diego Paradise Point Resort1404 W. Vacation RoadSan Diego, CA 92109Telephone: 858-274-4630Attention: Steve Hanger Please mark "Hold for Cisco VPN Workshop"

Schedule your equipment to arrive at Paradise Point Resort between January 3-7, 2000. Please provide shipping information, such as date shipped, tracking number, and number of boxes to Paradise Point Resort so receipt of your shipment may be confirmed and accepted.

IMPORTANT: Please bring the shipping documents for the return of your equipment back to your company. These documents include the carrier form. International shipments must include all appropriate documents, including carrier forms and invoices.

mailto:[email protected]

https://onsite-test-fe.bbtest.net/bakeoff/

Additionally, please make arrangements with your carrier in advance for pickup of your equipment at the Paradise Point Resort for no later than 5:00 PM on Friday, January 14, 2000. You will be responsible to see that your carrier picks up your equipment.

These two points are very important. Neither Cisco nor the Paradise Point Resort will be able to provide shipping forms or customs forms to you. You have to bring your own. Also neither Cisco nor the Paradise Point Resort will be able to store your equipment past January 14, 2000.

ACCOMMODATIONS:

Be sure to reserve by December 15, 1999, to insure that rooms will be available for you and your group. The block of rooms is available at:

San Diego Paradise Point Resort1404 W. Vacation RoadSan Diego, CA 92109Telephone: 858-274-4630 or 800-344-2626

Register under "Cisco VPN Workshop" to get the discounted Workshop rate of $140.00 plus tax per night.

Rooms are available for check in January 9, 2000 through check out January 14, 2000. Check in time is 4:00 PM and check out time is 12:00 Noon. Should the attendee cancel the reservation within 48 hours of arrival, they are subject to billing of one night's room and tax. Should an attendee depart early from the original check out date, the attendee will be responsible for one night's room and tax.Available room upgrade options:

Lanai single/double $140Lanai Bayview $195Studio Suite Garden $235Studio Suite Bayside $265One Bedroom Suite Garden $275One Bedroom Suite Bayview $310

About San Diego Paradise Point Resort: http://www.paradisepoint.com/

Airport Access:

Airline service is available to Lindbergh International Airport, San Diego, California, USA (SAN). Alternately, you may fly to Los Angeles (LAX), California and drive approximately two hours to San Diego.

Directions from Lindbergh International Airport: Take Harbor Drive North and turn right on Nimitz, follow signs to Mission Bay Park. Right on Ingraham, left at West Vacation

http://www.fessparkersdoubletree.com/

Road.

You can take Cloud 9 Shuttle 1-800-9-SHUTTLE from the airport to the hotel for transportation to the hotel for $8.00. From Terminal 1 or Terminal 2 follow the signs to the Ground Transportation Skybridge, proceed to the "Shuttle for Hire" curb and ask the "Transportation Coordinator" for Cloud 9 Shuttle. From the Commuter terminal exit the doors, cross over to the shuttle loading island, and ask the "Transportation Coordinator" for Cloud 9 Shuttle.

SECURITY:

An outside security company has been retained from 8:00 PM until 8:00 AM from January 8-14, 2000. There will be a sign-up procedure for participants wishing to work after 8:00 PM Those wishing to work after 8:00 PM must be present at 8:00 PM for introductions to the security staff of the evening.

PRESS RELEASE:

Cisco plans to make a press release following the workshop. There will be no mention of any specific results of the testing in this release. Please indicate in the application if you want your company's name included in this release as a participant. If you include your public relations person in the application, that contact will be given the opportunity to review the release in advance.

REGISTRATION:

This will be a "self organizing" event. It will be your responsibility to develop your own test schedule and to arrange your own testing partners. This method has worked well in the past and we believe that it provides the most productive environment for testing. In the application you will be asked to list the days you will be available for testing. Please be accurate so everyone has an opportunity to test with you.

Please fill out the Product Section of the application carefully defining the supported capability list for the protocol options you will test at the workshop. We will use the information to put together a binder of data to assist when you are testing with partners.

To register for the VPN Interoperability Workshop fill out the payment form and return it by email to <[email protected]>.

Then fill out the application on this Web site immediately to reserve your place at the workshop.

If you have any questions, send email or call

Bob Larribeau, [email protected], 415-241-9920

Based on past workshops, expected attendance is 60 companies. Get the payment form and application in early to assure yourself a place.

------------------------------ PAYMENT FORM---------------------------- PLEASE RETURN THIS PAYMENT FORM VIA EMAIL.

Name: __________________________________

Company: _______________________________

Address: _________________________________

__________________________________________

City, State, Zip ________________________________

Country: _____________________________________

Phone: _________________________________

Fax: ___________________________________

Email: _________________________________

Number of Attendees: _________ x $300.00 = Total Payment $_____________

Refunds will not be made for cancellations after December 15, 1999.

Pay by credit card:

Fill out the form below and fax it to the CalBUG at (415) 753-6942.

Credit Card Type (Circle One): American Express, Visa, Master Charge, JCB

Credit Card Number: ______________________________

Expiration Date: _________________________________

Name: ____________________________________________

Signature: _______________________________________

Pay by check:

Send a check made out to the CalBUG for $300 for each participant to:

California Broadband User's Group, PO Box 27901-391, San Francisco, CA 94127

Wire funds to:

California Broadband Users' GroupAccount Number 02882 07752 Bank of America #0288 288 West Portal Avenue, San Francisco, CA 94127 USA ----------------------------------------------------------------------- APPLICATION

PLEASE FILL OUT THIS APPLICATION ON THE WEB SITE

Please enter the name of the Workshop Coordinator who will coordinate your registration. We will send emails to this person to give the latest information on the workshop and to verify your registration.

Company Name: __________________________

Name: __________________________________

Address: _________________________________

__________________________________________

City, State, Zip ________________________________

Country: _____________________________________

Phone: _________________________________

Fax: ___________________________________

Email: _________________________________

Do you want your company's name included in the Cisco press release as a participant? Yes or No

Provide the name, address, phone, fax, and email of your public relations contact. We will give this person an opportunity to review the release in advance.

Names of ALL Participants (including the Workshop Coordinator listed above if they will attend):

Name_____________________

Name_____________________

Name_____________________

Days available for testing: M Tu W Th F

Number of tables:

----------------------------------------------------------------------

IP Addresses-

Number of Configuration 1:(a single IP address with a routed private network address)

Number of Configuration 2: (A single IP address with a routed private and public network address)

Additional Power Requirements:

Number of BRI lines: 1 2 More than 2 (please specify)

S/T or U interface:

PRI (Yes or No):

Additional Madge Switch Requirements:

ATM PVC (PPP): 1 2 More than 2 (please specify)

ATM PVC (L2TP): 1 2 More than 2 (please specifiy)

----------------------------------------------------------------------

Features you will be TESTING:

IPSec (Y/N)

IKE (Y/N)

IKE-CFG

IKE-XAUTH

IP Payload Compression (Y/N)

L2TP over Transport-Mode IPSec (Y/N)

CCP with MPPC (Y/N)

CCP with MPPE (Y/N)

MS CHAP Version 2 (Y/N)

EAP (Y/N)

PPTP (Y/N)

PPP over Ethernet (PPPoE) (Y/N)

PPP over ATM (Y/N)

L2TP over ATM (Y/N)

L2TP (Y/N)

----------------------------------------------------------------------

Will you be providing:

CA services (Y/N)

-----------------------------------------------------------------------

Product Functionality Section:

The purpose of this survey is to identify supported features so that vendors will know who is implementing what, can know who to discuss the detailed functionality with, and to identify products for more serious compatibility testing later.

Fill out a Product Section to describe supported features for each device or software package you will have at the workshop. If the version is unreleased, indicate 'alpha', 'beta', RC (release candidate) or build number. Options marked with * are advanced features. --- 1---Product Name:

Software Version and OS compatibility:

Product Type, check all that apply:

Router_____ Firewall_____ IPSec Gateway_____ IPSec Client_____

L2TP/IPsec Client Software_____ End to End (Tunnel/Transport) Client_____

Other________________________

--- 2---Product Name:





Other________________________

--- 3---Product Name:





Other________________________

=====IPSEC=====IPSEC=====IPSEC=====IPSEC=====

IPSec manual keys SA configuration (keys, SPI, algorithms) (Y/N)

Minimum key length (Y/N)

If yes, key length________________

AH tunnel (Y/N)

AH transport (Y/N)

ESP tunnel (Y/N)

ESP transport (Y/N)

Transport adjacency: applying more than one security protocol to the same IP datagram, without invoking tunneling, eg. [IP][AH][ESP][packet payload] (Y/N)

Nested tunneling from the same box: "Tunneling IPSec in an IPSec tunnel", eg. [IP][IPSec][IP][IPSec][packet payload] where "[IPSec]" could be "[ESP]" or "[AH]" or "[AH][ESP]" and where "[packet payload]" could be a ULP or another entire IP datagram. (Y/N)

Iterated tunneling on same box: "Terminate a tunnel on one interface and forward the packets out on a different tunnel on a different interface" (Y/N)

ESP cipher algorithms-

DES-CBC (Y/N)

3DES (Y/N)

NULL encryption (Y/N)

*RC5 (Y/N)

*CAST (Y/N)

*Blowfish (Y/N)

*IDEA (Y/N)

*DES-X (Y/N)

ESP authenticators-

HMAC-MD-5 (Y/N)

HMAC-SHA-1 (Y/N)

*HMAC RIPEMD-160 (Y/N)

AH algorithms-

HMAC-MD-5 (Y/N)

HMAC-SHA-1 (Y/N)

*HMAC RIPEMD-160 (Y/N)

*IPP Compression Protocol-

LZS (Y/N)

DEFLATE (Y/N)

=====IKE=====IKE=====IKE=====IKE===== IKE=====

IKE Exchanges-

Main/Quick mode (identity protect) (Y/N)

*Aggressive mode (Y/N)

*IKE Config (Y/N)

*XAUTH (Y/N)

*DHCP Inform for internal tunnel config (Y/N)

*New Group Mode (Y/N)

IKE Authentication methods-

Preshared keys (Y/N)

Minimum length (Y/N)

If yes, length_____________

*RSA signature (Y/N)

*DSS signature (Y/N)

*RSA Encryption (Y/N)

*Revised RSA encryption (Y/N)

*GSSAPI-Kerberos v5 (Y/N)

*Base Mode (Y/N)

IKE Key Material-

Groups supported (1,2,3,4,5,others)__________

*Elliptic Curve Groups_____________

*DH-less IKE_________

Main mode PFS (1 MM per quick mode) (Y/N)

Quick mode PFS (Y/N)

Minimum quickmode lifetime (bytes/secs)_________

IKE Encryption algorithms-

DES (Y/N)

3DES (Y/N)

CAST (Y/N)

RC5 (Y/N)

Blowfish (Y/N)

IDEA (Y/N)

Other__________________

IKE Hash algorithms-

MD-5 (Y/N)

SHA-1 (Y/N)

*HMAC RIPEMD-160 optional (Y/N)

IKE Certificates-

*IKE Certificate Validation (Y/N)

Validate subject name against IPSec policy data (Y/N)

Normal operation requires on-line access to CA for enrollment (Y/N)

Certificate Request Payload (Reqd/Optional/Not Used and Ignored)______________

*Certificate chains in band, means exchanged in IKE (Y/N)

CRL support (Reqd/Optional/ None)___________

CRL retrieval mechanism (http, file, LDAP)______________

Normal operation (Reqd/Optional/ Don’t Care and Not Used) on-line access to CRL distribution point __________________

IKE Optional payloads----------------

*IKE Cert types -

CERT (Y/N)

CRL (Y/N)

ARL (Y/N)

PKCS7 (Y/N)

Certificate signature algorithms supported (MD5, SHA1, etc)__________

IPSec only certificate key usage (Reqd/Optional/Don't Care)___________

Other certificate restrictions______________

*IKE Cert request types -

CERT (Y/N)

CRL (Y/N)

ARL (Y/N)

PKCS7 (Y/N) IKE Other Options- *Vendor-ID (Y/N)

*Commit bit (Y/N)

*Use quick mode lifetime notifies (Y/N)

*Use Initial Contact (Y/N)

*Send delete payload for quickmode SAs (Y/N)

*Send delete payload for main mode SAs (Y/N)

*CA Interoperability Issues-

*RFC2510 (Y/N)

*PKCS 10/7 (Y/N)

*PKCS #12 (Y/N)

Manual certificate enrollment (Y/N)

*Level of CA hierarchies supported (number levels/No)___________

*Support certs issued by a subordinate CA, which is a child of a different vendor CA (cross certification) (Y/N)

CMC (Y/N)

PKIX-CMP (Y/N)

CEP (Y/N)

CRS (Y/N)

For IPComp (RFC 2393)---------------------------------------------------------

Compression algorithms-

DEFLATE - RFC 2394 (Y/N)

LZS-RFC 2395 (Y/N)

Negotiation mechanism-

IKE (Y/N)

Manually-configured (Y/N)

Negotiated with-

ESP/AH (Y/N)

Standalone (Y/N)

=====PPP=====PPP=====PPP=====PPP===== PPP=====

LCP Options:

Default MRU__________________________

Default MRRU_________________________

Authentication:

CHAP authenticator (Y/N)

CHAP authenticatee (Y/N)

CHAP Re-challenge (Y/N)

MS CHAP (Y/N)

MS CHAP V2 (Y/N) Compression:

STAC (Y/N)

STAC DCP (Y/N)

STAC Options _________

MPPC (Y/N)

MPPE (Y/N)

WCP (Y/N)

Predictor (Y/N)

Other__________________

IPCP:

Numbered links (Y/N)

Un-numbered links (Y/N)

Tx if Un-numbered____________

Options supported____________

IP assignment (Y/N)

IP Pool (Y/N)

DHCP (Y/N) IPXCP:

Numbered links (Y/N)

Un-numbered links (Y/N)

Tx if Un-numbered____________

Options supported____________

=====L2TP=====L2TP=====L2TP=====L2TP=====L2TP=

Provide LAC (Y/N)

Provide LNS (Y/N)

Provide L2TP Client (Y/N)

L2TP Access Concentrator (LAC) Options:

Proxy LCP (Y/N)

Proxy Authentication PAP (Y/N)

Proxy Authentication CHAP (Y/N)

Proxy Authentication MS-CHAP (Y/N)

Tunnel Authentication (Y/N)

Hidden AVPs (Y/N)

Outgoing Calls (Y/N)

Sequencing (Y/N)

L2TP secured by IPSec (Reqd/Optional/No)___________

If yes, IKE authentication using identity protect or aggressive mode__________

If yes, IKE authentication using (machine/user/other) credential___________

If yes, IKE authentication (pre-shared key only/certs only/both/other)__________

L2TP Network Server (LNS) Options:

Proxy LCP (Y/N)

Proxy Authentication PAP (Y/N)

Proxy Authentication CHAP (Y/N)

Proxy Authentication MS-CHAP (Y/N)


Hidden AVPs (Y/N)


Sequencing (Y/N)

MP (bundle tunneled links) (Y/N)

ECP (Y/N)

CCP (Y/N)

Algorithms______________________________

CBCP (Y/N)





Tunnel Types-

Voluntary (Y/N)

Compulsory (Y/N)

Client L2TP Options:


Hidden AVPs (Y/N)


Sequencing (Y/N)





=====PPTP=====PPTP=====PPTP=====PPTP=====PPTP=

PAC (Y/N)

PNS (Y/N)

PPTP Client (Y/N)

PPTP Options - PAC:

Outgoing calls (Y/N)

Incoming calls (Y/N)

PPTP secured by IPSec (Reqd/Optional/No)___________

Ring-time tunnel (Y/N)

Username-based tunnel (Y/N)

PPTP Options - PNS:

Outgoing calls (Y/N)

Incoming calls (Y/N)

MP (bundle tunneled links) (Y/N)

MPPE (Y/N)

CCP (Y/N)

Algorithms______________


Tunnel types -

Voluntary (Y/N)

Compulsory (Y/N)

PPTP Options - Client:

MPPE (Y/N)

CCP (Y/N)

Algorithms______________


=====EAP=====EAP=====EAP =====EAP ===== EAP==

Identity (Y/N) Number of retries__________

Notification (Y/N)

Nak (response only) (Y/N)

MD5-Challenge (Y/N)

S/Key (RFC 1760) (Y/N)

Generic Token Card (Y/N)

RADIUS EAP-Proxy (Y/N)

Other________________________

=====PPPoE===== PPPoE ===== PPPoE ===== PPPoE ==

Client:

Can select from multiple services (Y/N)

AC-Cookie Tag (Y/N)

Host-Uniq Tag (Y/N)

Relay-Session-Id (Y/N)

PPPoE Active Discovery Terminate (PADT) packet (Y/N)

Server:

Can offer multiple services (Y/N)

AC-Cookie Tag (Y/N)

Host-Uniq Tag (Y/N)

Relay-Session-Id (Y/N)

PPPoE Active Discovery Terminate (PADT) packet (Y/N)

Jan2000IPSEC_PPP_application.doc.doc

Documents

workshop network

backbone ethernet network

public network address

single ip address

pm testing

routed private network

private class c network

vpn workshop