[Swan] What are strongest ciphers that can be used for ike and phase2alg?

Andrew Cagney andrew.cagney at gmail.com
Tue May 31 13:57:43 UTC 2016 

On 31 May 2016 at 03:41, Michael Furman <michael_furman at hotmail.com> wrote:
>
> Thanks for the fast and qualified answer!
>
> I will happy for couple of clarifications:
>
>
>
> 1)  Sorry but how I configure AES_GCM 256 with SHA2-512?
>
> I have confused with this link
> http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml
>
>
>
> The best configuration I have found is the following:


The table on https://tools.ietf.org/html/rfc7296#page-82 might help a
little.  Ignore ESN.

Pluto's syntax is: AUTH - INTEG&|PRF ; DH

The second field gets used to select data integrity and/or pseudo
random number generation as needed.  While, in theory, they could be
different, no one ever does that.

> ike=aes_gcm-sha2;modp2048

auth=aes_gcm
integ="aes_gcm"
prf=sha2
dh=modp2048

> esp=aes_gcm256-null;modp2048

That's correct.

auth=aes_gcm
integ="aes_gcm"
prf=none
dh=modp2048 but pluto currently ignores this? generating keying
material from the IKE secure association

> I want to configure sha2_512 since I do not want to configure
> sha2-truncbug=yes
>
>
>
> 2)   According to the following link not all AES-NI hardware accelerators
> support AES_GCM:
>
> https://libreswan.org/wiki/Benchmarking_and_Performance_testing#x86_64_NUMA_Xeon_with_Intel_QuickAssist_PCIe
>
> We run on RHEL6.  Do you expect any issue with AES-NI hardware accelerators
> and AES_GCM?

I'll let paul answer that.

>> Date: Mon, 30 May 2016 17:14:07 -0400
>> From: paul at nohats.ca
>> To: michael_furman at hotmail.com
>> CC: swan at lists.libreswan.org
>> Subject: Re: [Swan] What are strongest ciphers that can be used for ike
>> and phase2alg?
>
>>
>> On Mon, 30 May 2016, Michael Furman wrote:
>>
>> >
>> > ike=aes256-sha2_256;modp2048
>> >
>> > phase2alg=aes256-sha2_256;modp2048
>> >
>> > What are strongest ciphers that can be used for ike and phase2alg?
>>
>> That's a bit subjective. For instance, is AES more secure than SERPENT
>> or CAMELLIA or CHACHA20POLY1305 or TWOFISH?
>>
>> > Is it aes256-sha2_512?
>> >
>> > Can I configure aes512?
>>
>> There is no such thing aes aes512.
>>
>> If you want to know what are valid IKE and ESP ciphers, see:
>>
>> http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml
>>
>> > Any performance overhead with the stronger ciphers?
>>
>> Yes. For ESP I strongly recommend AES_GCM over AES(_CBC) for performance
>> reasons. See
>> https://libreswan.org/wiki/Benchmarking_and_Performance_testing
>>
>> For IKE that hardly matters, that's only a few packets per hour.
>>
>> I also recommend staying away from sha2_256 because some implementations
>> based on broken linux kernels do a wrong truncation causing interop
>> issues. Use sha2_512 instead.
>>
>> You can find some recommendations in the following drafts:
>>
>> https://tools.ietf.org/html/draft-ietf-ipsecme-rfc4307bis
>>
>> https://tools.ietf.org/html/draft-mglt-ipsecme-rfc7321bis
>>
>> While these are for "mandatory to implement" you can also use these
>> as guidance for configurations. Libreswan is constantly updating
>> its default proposals to match the latest recommended standards.
>> So it should not be needed to specify either ike= or phase2alg=/esp=
>> lines but you can do so if you want.
>>
>> Paul
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>

More information about the Swan mailing list