On Thu, Apr 30, 2020 at 09:33:28PM +0100, Stuart Henderson wrote: > On 2020/04/30 20:11, Tobias Heider wrote: > > Hi, > > > > I would like to modernize our crypto defaults a bit and add some of the > > supported ECDH Diffie-Hellman groups to the default IKE crypto proposal. > > There should be no downside to this, if they are not supported by the > > other side one of the old MODP groups will be used. > > > > The same for AEADs in the ESP proposal. We have support for AES-GCM > > and CHACHA20 for some time now but they never made it into the > > defaults. > > > > ok? > > ok to add them.
On second thought i would actually only add the ECDH groups for now. For AEADs we would probably need a bit more boilerplate because they would have to be sent in a second proposal without the AUTH transforms and that can wait until after the release. > > I'm really tempted to suggest dropping the worst of the rest from default > transforms, users can still re-add them if needed. Not sure if that's a now > thing or a post unlock thing though. > > I was going to experiment some more (in particular to see what Windows > comes up with by default nowadays) but the only box I'm running iked on > that isn't going to interrupt other VPN users, is also running bgpd and > I just discovered the hard way that starting iked clears out existing > tcpmd5 SAs so I'm not going to touch that right now ;) > According to the strongswan website [1] the Windows defaults should be: 128-CBC, AES-192-CBC, AES-256-CBC, 3DES, SHA-1,SHA-256, SHA-384 and MODP-1024. If this is true we could actually drop 3DES and HMAC-SHA1-96, which would be great. MODP-1024 as the only Diffie-Hellman group however is already the weakest group we offer (and if not for windows I would gladly drop it as well). [1] https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients
