<div dir="ltr">[inline]<br><div><div class="gmail_extra"><br><div class="gmail_quote">On 8 December 2016 at 11:36, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">On Thu, 8 Dec 2016, Andrew Cagney wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Given something like ike=sha1 or ike=aes or ... pluto uses the following table to fill in the ENCR-PRF;MODP blanks:<br>
</blockquote>
<br></span>
It should basically act as a filter on the "default set".<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
DH:OAKLEY_GROUP_MODP2048, OAKLEY_GROUP_MODP1536, OAKLEY_GROUP_MODP1024,<br>
</blockquote>
<br>
<br>
Can this behaviour be tuned for IKEv1 or IKEv2? I would like IKEv2 to<br>
not have 1536/1024. And I would like IKEv1 to not have 1024.<br>
<br></blockquote><div><br></div><div>I think so. The ike_alg structures contain this information, we just need to take the bit between our teeth and use it.<br><br></div><div>One technical nit. This makes the ESP/AH parser code dependent on ike_alg (the IKE code, via plutoalg.c) is already). That in turn breaks the, unmaintained and probably already broken, testing/lib/libswan/algparse.c. Fixing means moving the deck chairs ike_alg*.[hc] and crypt_*.[hc] to libswan.a, I think I'll hold off :-)<br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
ENCRYPT: OAKLEY_AES_CBC, OAKLEY_3DES_CBC,<br>
</blockquote>
<br>
This is fine for IKEv1. For IKEv2 we would want AES_GCM and not 3DES.<span class="gmail-"><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
PRF: OAKLEY_SHA1, OAKLEY_MD5, (it's actually a HMAC based on)<br>
</blockquote>
<br></span>
Actually, we sort of only do PRF == INTEG, so for ike=sha1 it should<br>
pick sha1 as prf. For ike=aes it should pick the strongest default,<br>
so a sha2 flavour? (sha2_256 is fine for IKE, we just want to avoid<br>
it for ESP due to the linux bug still existing and badly fixed in<br>
2.6.33)<br>
<br></blockquote><div><br></div><div>IKE and ESP have separate tables and separate implementations so that works.<br><br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Similarly, for esp:<br>
<br>
encrypt=AES<br>
</blockquote>
<br>
SHA2_512 or SHA1<span class="gmail-"><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
and esp/ah:<br>
<br>
INTEG="MD5", "SHA1" (its actually a truncated HMAC based on ...)<br>
<br>
do these need updating?<br>
</blockquote>
<br></span>
Yes.<span class="gmail-"><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
(my preference is to drop the magic defaults but I suspect that is too radical)<br>
</blockquote>
<br></span>
Yes, that falls in the category "pony" and "world peace" :)<br>
<br>
For guidance please see:<br>
<br>
<a href="https://tools.ietf.org/html/draft-ietf-ipsecme-rfc7321bis" rel="noreferrer" target="_blank">https://tools.ietf.org/html/dr<wbr>aft-ietf-ipsecme-rfc7321bis</a><br>
<br>
<a href="https://tools.ietf.org/html/draft-ietf-ipsecme-rfc4307bis" rel="noreferrer" target="_blank">https://tools.ietf.org/html/dr<wbr>aft-ietf-ipsecme-rfc4307bis</a><span class="gmail-HOEnZb"><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br></div></div></div>