...after some more research: ec2n never actually made it into the IKEv2 RFC, it was present in drafts up to 15, but removed in
https://tools.ietf.org/rfcdiff?difftype=--hwdiff&url2=draft-ietf-ipsec-ikev2-16.txt the relevant entry from https://datatracker.ietf.org/doc/rfc4306/history/ is : 2004-09-02 17 Russ Housley [Ballot discuss] : : In 2002, the working group decided not to pursue elliptic curves. : Hilarie Orman made several presentation advocating them; her slides : are in the minutes. However, the IPR concerns associate with : elliptic curves lead the working group to classic Diffie-Hellman. : Yet, two elliptic curve groups are still included in the document. : This seems to contradict the working group decision. I suggest the : removal of the elliptic curve groups from Appendix B. A quick search doesn't find any implementations supporting ec2n other than iked and CLJ^H^H^H routeros. OK I have changed my mind and agree with you Tobias, I am happy to kill it now. On 2020/04/28 08:59, Theo de Raadt wrote: > If so, immediately. That means for about 2 weeks someone in snaps > can scream. > > Tobias Heider <tobias.hei...@stusta.de> wrote: > > > On Tue, Apr 28, 2020 at 11:22:02AM +0100, Stuart Henderson wrote: > > > On 2020/04/28 01:09, Tobias Heider wrote: > > > > Hi, > > > > > > > > the EC2N family of curves have been marked as insecure for at least 10 > > > > years. > > > > In fact, IANA has stopped listing them altogether [1]. > > > > Their former IDs are now 'reserved'. > > > > > > > > I think it's time for us to drop them as well. > > > > > > > > ok? > > > > > > I agree with dropping them. Timing-wise perhaps it's better to do it > > > after release (possible text for upgrade notes below); OTOH probably > > > nobody really uses ec2n so it's not all that likely to hurt users (we > > > can use similar text but say "prior to upgrade, add alternative groups > > > [...]" instead). > > > > > > "The insecure ec2n D-H groups will be removed from iked in the next > > > release; if you are using these, add alternative groups to ikesa/childsa > > > in iked.conf, then you can move clients across one by one and remove > > > the ec2n groups in advance of 6.8. > > > > > > While removal of other groups is not imminent, some are considered > > > insecure (768-bit MODP, group 1) or weak (1024- and 1536-bit MODP, > > > groups 2 and 5). Prefer curve25519, an ECP group of 256 bits or > > > more, or a MODP group of 2048 bits or more." > > > > I would really rather do it now. It has been marked as insecure for long > > enough and really no one should be using it. > > IMHO shipping them for another six months would be rather irresponsible > > from our side. > > > > The upgrade note sound good. > > > > > > > > > Index: iked.conf.5 > > > > =================================================================== > > > > RCS file: /cvs/src/sbin/iked/iked.conf.5,v > > > > retrieving revision 1.66 > > > > diff -u -p -r1.66 iked.conf.5 > > > > --- iked.conf.5 27 Apr 2020 22:40:09 -0000 1.66 > > > > +++ iked.conf.5 27 Apr 2020 22:58:24 -0000 > > > > @@ -909,8 +909,6 @@ keyword: > > > > .It Em Name Ta Em Group Ta Em Size Ta Em Type > > > > .It Li modp768 Ta grp1 Ta 768 Ta "MODP" > > > > .It Li modp1024 Ta grp2 Ta 1024 Ta "MODP" > > > > > > .It Li modp768 Ta grp1 Ta 768 Ta "MODP" [insecure] > > > .It Li modp1024 Ta grp2 Ta 1024 Ta "MODP" [weak] > > > > > > > -.It Li ec2n155 Ta grp3 Ta 155 Ta "EC2N [insecure]" > > > > -.It Li ec2n185 Ta grp4 Ta 185 Ta "EC2N [insecure]" > > > > .It Li modp1536 Ta grp5 Ta 1536 Ta "MODP" > > > > > > .It Li modp1536 Ta grp5 Ta 1536 Ta "MODP" [weak] > > > > > > I guess we should sprinkle some other weak/insecure in the manual > > > too but this is a start. > > > > Good idea, your classification makes sense. We should do the same for > > all algorithms. > > > > > > > > > .It Li modp2048 Ta grp14 Ta 2048 Ta "MODP" > > > > .It Li modp3072 Ta grp15 Ta 3072 Ta "MODP" > > > > @@ -931,11 +929,8 @@ keyword: > > > > .Pp > > > > The currently supported group types are either > > > > MODP (exponentiation groups modulo a prime), > > > > -EC2N (elliptic curve groups over GF[2^N]), > > > > ECP (elliptic curve groups modulo a prime), > > > > or Curve25519. > > > > -Please note that the EC2N groups are considered as insecure and only > > > > -provided for backwards compatibility. > > > > > > Please note that MODP groups of less than 2048 bits are considered > > > as weak or insecure (see RFC 8247 section 2.4) and only provided for > > > backwards compatibility. > > > > > > > --- dh.h 27 Oct 2017 14:26:35 -0000 1.11 > > > > +++ dh.h 27 Apr 2020 22:58:24 -0000 > > > > @@ -21,7 +21,6 @@ > > > > > > > > enum group_type { > > > > GROUP_MODP = 0, > > > > - GROUP_EC2N = 1, > > > > GROUP_ECP = 2, > > > > GROUP_CURVE25519 = 3 > > > > }; > > > > > > Should the others be renumbered so that somebody looking later doesn't > > > have to figure out why there's a gap? > > > > > > > Fixed. > > > > Here's an updated diff: > > > > Index: dh.c > > =================================================================== > > RCS file: /cvs/src/sbin/iked/dh.c,v > > retrieving revision 1.22 > > diff -u -p -r1.22 dh.c > > --- dh.c 2 Apr 2019 09:42:55 -0000 1.22 > > +++ dh.c 28 Apr 2020 14:50:58 -0000 > > @@ -35,7 +35,7 @@ int modp_getlen(struct group *); > > int modp_create_exchange(struct group *, uint8_t *); > > int modp_create_shared(struct group *, uint8_t *, uint8_t *); > > > > -/* EC2N/ECP */ > > +/* ECP */ > > int ec_init(struct group *); > > int ec_getlen(struct group *); > > int ec_secretlen(struct group *); > > @@ -83,8 +83,6 @@ const struct group_id ike_groups[] = { > > "FFFFFFFFFFFFFFFF", > > "02" > > }, > > - { GROUP_EC2N, 3, 155, NULL, NULL, NID_ipsec3 }, > > - { GROUP_EC2N, 4, 185, NULL, NULL, NID_ipsec4 }, > > { GROUP_MODP, 5, 1536, > > "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" > > "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" > > @@ -290,7 +288,6 @@ group_get(uint32_t id) > > group->exchange = modp_create_exchange; > > group->shared = modp_create_shared; > > break; > > - case GROUP_EC2N: > > case GROUP_ECP: > > group->init = ec_init; > > group->getlen = ec_getlen; > > Index: dh.h > > =================================================================== > > RCS file: /cvs/src/sbin/iked/dh.h,v > > retrieving revision 1.11 > > diff -u -p -r1.11 dh.h > > --- dh.h 27 Oct 2017 14:26:35 -0000 1.11 > > +++ dh.h 28 Apr 2020 14:50:58 -0000 > > @@ -21,9 +21,8 @@ > > > > enum group_type { > > GROUP_MODP = 0, > > - GROUP_EC2N = 1, > > - GROUP_ECP = 2, > > - GROUP_CURVE25519 = 3 > > + GROUP_ECP = 1, > > + GROUP_CURVE25519 = 2 > > }; > > > > struct group_id { > > Index: iked.conf.5 > > =================================================================== > > RCS file: /cvs/src/sbin/iked/iked.conf.5,v > > retrieving revision 1.66 > > diff -u -p -r1.66 iked.conf.5 > > --- iked.conf.5 27 Apr 2020 22:40:09 -0000 1.66 > > +++ iked.conf.5 28 Apr 2020 14:50:58 -0000 > > @@ -907,11 +907,9 @@ The following group types are permitted > > keyword: > > .Bl -column "modp1024-160" "Group" "Size" "Type" -offset indent > > .It Em Name Ta Em Group Ta Em Size Ta Em Type > > -.It Li modp768 Ta grp1 Ta 768 Ta "MODP" > > -.It Li modp1024 Ta grp2 Ta 1024 Ta "MODP" > > -.It Li ec2n155 Ta grp3 Ta 155 Ta "EC2N [insecure]" > > -.It Li ec2n185 Ta grp4 Ta 185 Ta "EC2N [insecure]" > > -.It Li modp1536 Ta grp5 Ta 1536 Ta "MODP" > > +.It Li modp768 Ta grp1 Ta 768 Ta "MODP" [insecure] > > +.It Li modp1024 Ta grp2 Ta 1024 Ta "MODP" [weak] > > +.It Li modp1536 Ta grp5 Ta 1536 Ta "MODP" [weak] > > .It Li modp2048 Ta grp14 Ta 2048 Ta "MODP" > > .It Li modp3072 Ta grp15 Ta 3072 Ta "MODP" > > .It Li modp4096 Ta grp16 Ta 4096 Ta "MODP" > > @@ -931,11 +929,11 @@ keyword: > > .Pp > > The currently supported group types are either > > MODP (exponentiation groups modulo a prime), > > -EC2N (elliptic curve groups over GF[2^N]), > > ECP (elliptic curve groups modulo a prime), > > or Curve25519. > > -Please note that the EC2N groups are considered as insecure and only > > -provided for backwards compatibility. > > +Please note that MODP groups of less than 2048 bits are considered > > +as weak or insecure (see RFC 8247 section 2.4) and only provided for > > +backwards compatibility. > > .Sh FILES > > .Bl -tag -width /etc/examples/iked.conf -compact > > .It Pa /etc/iked.conf > > Index: ikev2.h > > =================================================================== > > RCS file: /cvs/src/sbin/iked/ikev2.h,v > > retrieving revision 1.31 > > diff -u -p -r1.31 ikev2.h > > --- ikev2.h 3 Dec 2019 12:38:34 -0000 1.31 > > +++ ikev2.h 28 Apr 2020 14:50:59 -0000 > > @@ -230,8 +230,6 @@ extern struct iked_constmap ikev2_xforma > > #define IKEV2_XFORMDH_NONE 0 /* No DH */ > > #define IKEV2_XFORMDH_MODP_768 1 /* DH Group 1 */ > > #define IKEV2_XFORMDH_MODP_1024 2 /* DH Group 2 */ > > -#define IKEV2_XFORMDH_EC2N_155 3 /* DH Group 3 */ > > -#define IKEV2_XFORMDH_EC2N_185 4 /* DH Group 3 */ > > #define IKEV2_XFORMDH_MODP_1536 5 /* DH Group 5 */ > > #define IKEV2_XFORMDH_MODP_2048 14 /* DH Group 14 */ > > #define IKEV2_XFORMDH_MODP_3072 15 /* DH Group 15 */ > > Index: parse.y > > =================================================================== > > RCS file: /cvs/src/sbin/iked/parse.y,v > > retrieving revision 1.95 > > diff -u -p -r1.95 parse.y > > --- parse.y 26 Apr 2020 16:55:47 -0000 1.95 > > +++ parse.y 28 Apr 2020 14:50:59 -0000 > > @@ -223,10 +223,6 @@ const struct ipsec_xf groupxfs[] = { > > { "grp1", IKEV2_XFORMDH_MODP_768 }, > > { "modp1024", IKEV2_XFORMDH_MODP_1024 }, > > { "grp2", IKEV2_XFORMDH_MODP_1024 }, > > - { "ec2n155", IKEV2_XFORMDH_EC2N_155 }, > > - { "grp3", IKEV2_XFORMDH_EC2N_155 }, > > - { "ec2n185", IKEV2_XFORMDH_EC2N_185 }, > > - { "grp4", IKEV2_XFORMDH_EC2N_185 }, > > { "modp1536", IKEV2_XFORMDH_MODP_1536 }, > > { "grp5", IKEV2_XFORMDH_MODP_1536 }, > > { "modp2048", IKEV2_XFORMDH_MODP_2048 }, > >
