Hi,
I was looking at iked's cryptographic defaults and noticed
that there's some weak/deprecated primitives while we do not
propose some of the newer (more secure/faster) algorithms.
3DES is considered weak since https://sweet32.info/ and was removed
from OpenSSL in 2016. Logjam and https://weakdh.org/ broke some of the
classical DH groups. The researchers who found it recommend
2048-bit or larger MODP groups or switching to ECDH.
AES-GCM and CHACHA20 can be considerably faster than AES-CBC+HMAC-SHA1
and are well established. The only downside is that GCM heavily
depends on CPU support, so newer Intel/AMD CPUs will be much faster with
GCM. For everything else CHACHA20 might actually be faster (compare
`openssl speed aes-256-gcm/chacha20-poly1305`).
I would also like to add all DH groups in ikev2_default_ike_transforms
to the ikev2_default_ipsec_transforms as perfect forward secrecy for ESP
is generally considered best practice.
SHA1 can stay as it is only used in a HMAC construction which is still
considered secure (see https://sha-mbles.github.io/).
Any strong opinions against any of those changes?
diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y
index fe052068922..7d4158d2242 100644
--- a/sbin/iked/parse.y
+++ b/sbin/iked/parse.y
@@ -140,25 +140,45 @@ struct iked_transform ikev2_default_ike_transforms[] = {
{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 256 },
{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 192 },
{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 128 },
- { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_3DES },
+ { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_512 },
+ { IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_384 },
{ IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA2_256 },
{ IKEV2_XFORMTYPE_PRF, IKEV2_XFORMPRF_HMAC_SHA1 },
+ { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_512_256 },
+ { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_384_192 },
{ IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 },
{ IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA1_96 },
+ { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_CURVE25519 },
+ { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_521 },
+ { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_384 },
+ { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_256 },
+ { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_4096 },
+ { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_3072 },
{ IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_2048 },
- { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_1536 },
- { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_1024 },
{ 0 }
};
size_t ikev2_default_nike_transforms = ((sizeof(ikev2_default_ike_transforms) /
sizeof(ikev2_default_ike_transforms[0])) - 1);
struct iked_transform ikev2_default_esp_transforms[] = {
+ { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_GCM_16, 256 },
+ { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_GCM_16, 192 },
+ { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_GCM_16, 128 },
+ { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_CHACHA20_POLY1305 },
{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 256 },
{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 192 },
{ IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 128 },
+ { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_512_256 },
+ { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_384_192 },
{ IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 },
{ IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA1_96 },
+ { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_CURVE25519 },
+ { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_521 },
+ { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_384 },
+ { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_ECP_256 },
+ { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_4096 },
+ { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_3072 },
+ { IKEV2_XFORMTYPE_DH, IKEV2_XFORMDH_MODP_2048 },
{ IKEV2_XFORMTYPE_ESN, IKEV2_XFORMESN_ESN },
{ IKEV2_XFORMTYPE_ESN, IKEV2_XFORMESN_NONE },
{ 0 }
