[Swan-dev] IKE algorithm list

Andrew Cagney andrew.cagney at gmail.com
Mon Feb 27 16:54:32 UTC 2017 

Hi,

First I should note that I'm as guilty as any for adding to the
problems here, more recently I've been dumping details into pluto.log
so hopefully I'm reformed :-)

The output from:

   $ ipsec auto --status

includes:

000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3,
v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC,
v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=20, v1name=OAKLEY_AES_GCM_C, v2id=20,
v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=19, v1name=OAKLEY_AES_GCM_B, v2id=19,
v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=18, v1name=OAKLEY_AES_GCM_A, v2id=18,
v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13,
v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12,
v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC,
v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC,
v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH,
v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=19, name=OAKLEY_GROUP_ECP_256, bits=512
000 algorithm IKE dh group: id=20, name=OAKLEY_GROUP_ECP_384, bits=768
000 algorithm IKE dh group: id=21, name=OAKLEY_GROUP_ECP_521, bits=1056
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048

I find the DH list especially bad and the main one I'd like to fix,
but I figure I should list all the issues I see:

- 'group' and 'oakley' shouldn't appear

- for DH19..DH21 should it use "dh19" rather than the poorly defined
ECP_256 (seemingly SECP256R1 is the actual name?  I should check NIST)

- is the ID (and duplicates) helpful to users?  Instead include that
in pluto.log

- are the duplicate names (v1name/v2name/name) helpful?   Instead just
list a single somewhat official name like AES_CBC

- should the allowed key lengths be listed explicitly (on separate
lines, say), i.e., AES_CBC_128

- how should IKEv1 vs IKEv2 only algorithms be identified (the GCM
algorithms are _not_ IKEv1)

- hash is an IKEv1 term, PRF is the IKEv2 term and the more correct
name is HMAC_MD5

- is hashlen helpful? Modern algorithms include the 'hashlen' in the name.

- upper or lower case? (I suspect upper case would actually be better)

Andrew

More information about the Swan-dev mailing list