Hi, I was looking at iked's cryptographic defaults and noticed that there's some weak/deprecated primitives while we do not propose some of the newer (more secure/faster) algorithms.
3DES is considered weak since https://sweet32.info/ and was removed from OpenSSL in 2016. Logjam and https://weakdh.org/ broke some of the classical DH groups. The researchers who found it recommend 2048-bit or larger MODP groups or switching to ECDH. AES-GCM and CHACHA20 can be considerably faster than AES-CBC+HMAC-SHA1 and are well established. The only downside is that GCM heavily depends on CPU support, so newer Intel/AMD CPUs will be much faster with GCM. For everything else CHACHA20 might actually be faster (compare `openssl speed aes-256-gcm/chacha20-poly1305`). I would also like to add all DH groups in ikev2_default_ike_transforms to the ikev2_default_ipsec_transforms as perfect forward secrecy for ESP is generally considered best practice. SHA1 can stay as it is only used in a HMAC construction which is still considered secure (see https://sha-mbles.github.io/). Any strong opinions against any of those changes? diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y index fe052068922..7d4158d2242 100644 --- a/sbin/iked/parse.y +++ b/sbin/iked/parse.y @@ -140,25 +140,45 @@ struct iked_transform ikev2_default_ike_transforms[] = { { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 256 }, { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 192 }, { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 128 }, - { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_3DES }, + { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_512 }, + { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_384 }, { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_256 }, { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA1 }, + { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_512_256 }, + { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_384_192 }, { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 }, { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA1_96 }, + { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_CURVE25519 }, + { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_521 }, + { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_384 }, + { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_256 }, + { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_4096 }, + { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_3072 }, { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_2048 }, - { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_1536 }, - { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_1024 }, { 0 } }; size_t ikev2_default_nike_transforms = ((sizeof(ikev2_default_ike_transforms) / sizeof(ikev2_default_ike_transforms[0])) - 1); struct iked_transform ikev2_default_esp_transforms[] = { + { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_GCM_16, 256 }, + { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_GCM_16, 192 }, + { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_GCM_16, 128 }, + { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_CHACHA20_POLY1305 }, { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 256 }, { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 192 }, { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 128 }, + { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_512_256 }, + { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_384_192 }, { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 }, { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA1_96 }, + { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_CURVE25519 }, + { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_521 }, + { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_384 }, + { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_256 }, + { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_4096 }, + { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_3072 }, + { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_2048 }, { IKEV2_XFORMTYPE_ESN, IKEV2_XFORMESN_ESN }, { IKEV2_XFORMTYPE_ESN, IKEV2_XFORMESN_NONE }, { 0 }