Security spec splinters

Disclaimer: This information comes from sources that cannot be verified. As such, make no assumptions about its completeness or accuracy. We endeavor to keep this information up to date as much as possible. Feel free to send comments/ updates to the Security News Editor.

29 May 1997, Network World:

Security spec splinters

An IETF standard for encrypting data between trading partners is almost complete, but an industry dispute over an element of the standard called key management means that many standards-based products may not be interoperable.

For two years, the IETF Security Group has labored to hammer out the IP Security (IPSec) protocol, a standard way that businesses can open up an encrypted link to a trading partner's network. The link is encrypted after authentication by means of an X.509 digital certificate at an IPSec-based firewall or gateway.

But an unresolved, bitter dispute over the technique for automatically swapping keys over the 'Net - referred to as key management - has resulted in two incompatible schemes in the IPSec specification. The specification is expected to be completed this summer and officially adopted as an IETF standard by early next year.

In this battle of the acronyms, the debate centers on the Simple Key Management for IP (SKIP), developed by Sun Microsystems, Inc., and the Internet Secure Association Key Management Protocol (ISAKMP), developed by the National Security Agency.

The latest version of ISAKMP, called ISAKMP/Oakley (after cowgirl Annie Oakley), was developed by former University of Phoenix Professor Hilarie Orman, who is now at the Defense Advanced Research Projects Agency.

While the experts gladly argue the relative merits in detail, the two have some obvious differences. Sun's SKIP, ready now, is a sessionless protocol for exchanging keys. ISAKMP, now in its seventh revision, depends on two-way stateful communications.

At this point, ISAKMP is required for the next-generation IP - IPv6 - with SKIP as an option. However, for IPv4, on which today's Internet is based, IPSec lets either ISAKMP or SKIP be used, though that, too, is still being argued.

"SKIP is not part of the standard," said Tim Hember, president and CEO of TimeStep Corp., which plans to ship an ISAKMP gateway this fall.

"Yes, it is," countered Rick Kagan, vice president of marketing at VPNet Technologies, Inc., a start-up with a SKIP-based firewall it sells as IPSec compliant. He noted that there have been so many versions of ISAKMP, it is unclear whether any products based on the protocol currently work together.

A gateway encryption product from start-up Red Creek Communications, Inc., is supposed to support IPSec with ISAKMP, but it is not known to interoperate with anything else at this point, acknowledged Bill Wiedemann, Red Creek president.

In Sun's camp, Check Point Software Technologies, Ltd., To-shiba Corp., Proteon, Inc., OpenRoute, Inc. and SunSoft, Inc. already have firewalls or products, such as client software, supporting SKIP.

"We say we're IPSec-compliant when asked," said Smita Deshpande, director of marketing for network security products at SunSoft's electronic commerce group.

SunSoft includes SKIP in its SunScreen firewall. The company plans to add SKIP to Solaris 2.6 in August and to the Java OS around the same time. Last week, SunSoft announced that a Moscow-based firm, ELVIS+Co., will supply SunScreen SKIP IP, SKIP-based client software with Data Encryption Standard and Triple-DES encryption for Windows 3.11, 95 and NT.

A large constituency of users driving adoption of ISAKMP/ Oakley is the U.S. automotive industry. Bob Moskowitz, Chrysler Corp. technical support specialist, has been pushing a dozen vendors, including Cisco Systems, Inc. and Microsoft Corp. to test interoperability in their products.

"ISAKMP at works at the host level, but eventually we'll get it to the application level," Moskowitz said. "SKIP is adequate for an intraenterprise, single-trust environment. However, in an interenterprise, multitrust arena, it breaks down."