Re: [Swan-dev] libipsecconf: promote ah= / esp= as desired keywords over phase2alg=

Tue, 30 Jun 2020 18:26:11 -0700 

On Mon, 29 Jun 2020, Andrew Cagney wrote:


    libipsecconf: promote ah= / esp= as desired keywords over phase2alg=

    This is a reversal of what we tried to do in the past. Since IKEv2
    does not really talk about phase2 anymore, this term is no longer
    favoured.


Ya!



    Ideally, phase2=ah|esp would also get renamed, but what word to use?

    (type is already used for tunnel|transport, and mode= would be confused
     with transport|tunnel mode. And encapsulation=ah would be weird because
     there is no encapsulation. And no one wants ah=yes)


Right, mode is either transport or tunnel.
Encapsulation, however, refers to UDP / TCP.
(It's really confusing that the E in ESP is also encapsulate).
The RFC seems to refer to ESP and AH as child SAs (which does make sense).


Child SA is an IKEv2 only term though. So I wouldn't use it here. We
could perhaps use ipsec=ah|esp|wesp|iptfs


To clarify one thing, does this mean that:
     ah=sha1
implies AH?


Currently it does not, because:

  /* attributes of the phase2 policy */
  { "esp",  kv_conn,  kt_string,  KSCF_ESP, NULL, NULL, },
  { "ah",  kv_conn,  kt_string,  KSCF_ESP, NULL, NULL, },
  { "phase2alg",  kv_conn | kv_alias,  kt_string,  KSCF_ESP, NULL, NULL, },     
/* obsolete */

It's all KSCF_ESP. So esp= and ah= are actually the same thing.

We could introduce KSCF_AH and make it so, but that complicates thing
with implied defaults (eg system wide crypto policies via conn
%default). I would actually prefer it the other way, I would want to be
able to say:

        conn %default
                
esp=aes_gcm256,chacha20_poly1305,aes256-sha2_512+sha1+sha2_256,aes_gcm128,aes128-sha1+sha2_256
                ah=aes_ccm256+sha2_512+sha1+sha2_256

And have:

        conn my-esp-tunnel
                phase2alg=esp
                [...]

        conn my-ah-link
                phase2alg=ah
                [...]

Currently, on RHEL, we have a system wide crypto policy with conn
%default specifying esp= which means that any phase2alg=ah MUST
specify crypto algorithms via ah= or it will fail to load because
it will include ESP algos.

Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev

Reply via email to