[Swan] authenticated Opportunistic Encryption !

[Paul Wouters]

On Sun, 10 Dec 2017, John Crisp wrote:

>> No there is no such option, because it is inherently insecure.
>
> And presumably has been for a long time....

But it is much more important now with Enterprise Cloud (mesh)
encryption being used with the Opportunistic IPsec code we added.

> What is more insecure... taking an acknowledged risk with your certificates by using a switch to override the new defaults, or being forced for whatever reason to stay on an older version of Libre?

I understand your viewpoint. Our viewpoint is on how much more complex
it becomes if we have more tweaks and switches into the code path.

> I have a similar issue with a router that I need to upgrade. It can't operate with newer minimum defaults until I can get to replace it, so until I can I have no option but to use an older, (potentially less secure because of bugs etc) version of Libre. That is going to take me a few months to sort due to locations. In the meantime I just have to accept the risks.

The defaults that we dropped were extremely conservative. No one should
have been on 3DES, SHA1 or DH5 for IKEv2, or on MD5 or DH2 for IKEv1.
I mean, they shouldn't have been on that for _years_.

> I don't dispute that raising security levels is important. But for various reasons we can't always jump that high or fast immediately.

I understand. We try to move slowly (eg see RFC 8221 and 8247)

I'll think about a switch for the ID/CERT issue. but the default
algorithm code is following the RFC's tightly, and it would be
unwise to change those. also, a simple ike= or esp= line already
overrides the default and we haven't prevented any of the older
algorithms from being manually configured.

Paul