[Swan-dev] libipsecconf: promote ah= / esp= as desired keywords over phase2alg=

Paul Wouters paul at nohats.ca
Tue Jun 30 00:49:38 UTC 2020

On Mon, 29 Jun 2020, Andrew Cagney wrote:

>>     libipsecconf: promote ah= / esp= as desired keywords over phase2alg=
>>     This is a reversal of what we tried to do in the past. Since IKEv2
>>     does not really talk about phase2 anymore, this term is no longer
>>     favoured.
> Ya!

>>     Ideally, phase2=ah|esp would also get renamed, but what word to use?
>>     (type is already used for tunnel|transport, and mode= would be confused
>>      with transport|tunnel mode. And encapsulation=ah would be weird because
>>      there is no encapsulation. And no one wants ah=yes)
> Right, mode is either transport or tunnel.
> Encapsulation, however, refers to UDP / TCP.
> (It's really confusing that the E in ESP is also encapsulate).
> The RFC seems to refer to ESP and AH as child SAs (which does make sense).

Child SA is an IKEv2 only term though. So I wouldn't use it here. We
could perhaps use ipsec=ah|esp|wesp|iptfs

> To clarify one thing, does this mean that:
>      ah=sha1
> implies AH?

Currently it does not, because:

   /* attributes of the phase2 policy */
   { "esp",  kv_conn,  kt_string,  KSCF_ESP, NULL, NULL, },
   { "ah",  kv_conn,  kt_string,  KSCF_ESP, NULL, NULL, },
   { "phase2alg",  kv_conn | kv_alias,  kt_string,  KSCF_ESP, NULL, NULL, },     /* obsolete */

It's all KSCF_ESP. So esp= and ah= are actually the same thing.

We could introduce KSCF_AH and make it so, but that complicates thing
with implied defaults (eg system wide crypto policies via conn
%default). I would actually prefer it the other way, I would want to be
able to say:

 	conn %default

And have:

 	conn my-esp-tunnel

 	conn my-ah-link

Currently, on RHEL, we have a system wide crypto policy with conn
%default specifying esp= which means that any phase2alg=ah MUST
specify crypto algorithms via ah= or it will fail to load because
it will include ESP algos.


More information about the Swan-dev mailing list