[Swan-dev] supported ESP/AH algorithms
Paul Wouters
paul at nohats.ca
Thu Dec 8 16:28:09 UTC 2016
On Thu, 8 Dec 2016, Andrew Cagney wrote:
> Does anyone know what ESP/AH (i.e., ENCR and INTEG) algorithms pluto supports? My guess is:
>
> ENCRYPT:
>
> &ike_alg_encrypt_aes_ccm_16,
> &ike_alg_encrypt_aes_ccm_12,
> &ike_alg_encrypt_aes_ccm_8,
> &ike_alg_encrypt_3des_cbc,
> &ike_alg_encrypt_camellia_ctr,
> &ike_alg_encrypt_camellia_cbc,
> &ike_alg_encrypt_aes_gcm_16,
> &ike_alg_encrypt_aes_gcm_12,
> &ike_alg_encrypt_aes_gcm_8,
> &ike_alg_encrypt_aes_ctr,
> &ike_alg_encrypt_aes_cbc,
> &ike_alg_encrypt_serpent_cbc,
> &ike_alg_encrypt_twofish_cbc,
> &ike_alg_encrypt_twofish_ssh,
I think in theory it could do (but has never had code) for camellia_gcm
I never understoof the difference of twofish_cbc an twofish_ssh. Not
sure the kernel supports either or both. I think we only really do
twofish_cbc?
> which is seemingly missing:
>
> ESP/AH ENCRYPT algorithm ESP_CAST=6 not found
We do support it but it is only able to be negotiated with IKEv1.
> ESP/AH ENCRYPT algorithm ESP_ID255=255 not found
I think that's KAME's version of ESP_NULL (via private use number)
> ESP/AH ENCRYPT algorithm ESP_NULL=11 not found
We do support esp=null, but might negotiate it with KAME's version?
> INTEG:
>
> &ike_alg_integ_md5,
> &ike_alg_integ_sha1,
> &ike_alg_integ_sha2_512,
> &ike_alg_integ_sha2_384,
> &ike_alg_integ_sha2_256,
> &ike_alg_integ_aes_xcbc,
> &ike_alg_integ_aes_cmac,
>
> which is seemingly missing:
>
> ESP/AH INTEG algorithm AUTH_ALGORITHM_HMAC_RIPEMD=8 not found
> ESP/AH INTEG algorithm AUTH_ALGORITHM_NONE=0 not found
No uses uses RIPEMD, it would be IKEv1 negotiated only and we never
supported it. None is only "supported" to negotiate it with AEAD's
like AES_GCM.
There is also aes128gmac, aes192gmac and aes256gmac for AH which the
kernel supports but we haven't added support for yet.
Note that I think the kernel does support poly1305chacha20 (IPsec
flavour is slightly non-standard, see draft) which we want to support
(in both IKE and ESP):
https://tools.ietf.org/html/draft-ietf-ipsecme-chacha20-poly1305-12
It already has an early code point assignment of "28"
Paul
More information about the Swan-dev
mailing list