[Swan-dev] aggressive mode
D. Hugh Redelmeier
hugh at mimosa.com
Sun Dec 21 21:37:20 EET 2014
The ipsec.conf(5) manpage says "aggrmode" means "Use Aggressive Mode instead
of Main Mode".
This does not seem nuanced enough.
There seem to be three reasonably policies:
1) forbid aggressive mode
2) accept aggressive mode but don't propose it
3) accept and propose aggressive mode
We should support all of these.
What is the current state? I guess (2) without "aggremode" in the
conn and (3) if it is there. I want (1) as the default because
aggressive mode is problematic from a security standpoint.
I assume that if we accept IKEv1, we will accept Main Mode. It is
quite unfortunate the the policy about IKEv1 is represented negatively
(POLICY_IKEV1_DISABLE). This does not work with the selection logic
for policies. A conn is considered to have suitable policy if it has
all the required policy bits on (there is way of requiring absence). So
POLICY_IKEV1_DISABLE must be replaced by its complement.
Why does this come up? The test netkey-audit-01 is failing
for me. When I look at the log, I see something that seems awfully
odd:
- east receives an initial aggressive mode packet
- it decides to use a connection called "ikev2".
That sounds misguided. Why would "ikev2" allow for aggressive mode?
I haven't looked at that conn -- it might actually allow v1 aggressive
mode, but nonetheless there is a problem in the code.
aggr_inI1_outR1_common looks for a suitable connection and does not
express any policy constraints. Yet there certainly are constraints:
(1) ikev1 must be allowed by the connection,
(2) aggressive mode must be allowed by the connection
(3) the authentication mode (which we already know from the initial
packet) must be allowed.
The last parameter to the early find_host_connection call should not
be LEMPTY.
(Oh, and there is another mystery with this test run. The
pexpect(c == st->st_connection); /* ??? how would this have changed? */
fires, and I cannot see how. I'll figure that one out when my test
machine becomes available.)
More information about the Swan-dev
mailing list