[Swan-dev] Default IKEv1 proposals

Andrew Cagney andrew.cagney at gmail.com
Mon Jun 17 16:40:00 UTC 2019

To expand on:

    Because the IKEv2 proposal parser can exactly describe the default
    proposal suite there is no externally visible change (well, other
    than fixing that obscure bug).  This isn't true of IKEv1 (but that
    doesn't mean a similar change to IKEv1 isn't a good idea).

For IKEv2, the proposal parser generates compact proposals.  For instance:

algparse -v2 'ike=aes_cbc_128'

where the proposal includes both HMAC_SHA2_512 and HMAC_SHA2_256 etc.
And because the proposal parser can build proposals identical to the
hardwired structures in ikev2_spdb_struct.c, the latter has been

However, for IKEv1, because the consumer doesn't know what to do with
compact proposals like the above, the proposal parser is instead
configured to generate simple proposals vis:

algparse -v1 'ike=aes_cbc_128'

and of course this can never match the compactness of the static
default proposal tables found in spdb*.c.  OTOH, is anyone willing to
admit that they still understand spdb*.c?

So switching IKEv1 to use the proposal parser to generate default
proposals is a trade off: less compact proposals vs less code to
maintain etc


More information about the Swan-dev mailing list