iked: extend default transform list

Patrick Wildt Thu, 09 Nov 2017 14:30:40 -0800

Hi,

the list of default transform parameters for iked is rather small.  In
practice that means that users will have to find out which parameters
the peer uses and then create a config with specific parameters.  And
then another peer comes along that uses different settings and you bite
into your desk.


I think we should extend the list of default parameters that iked
accepts.  First of all we should allow elliptic curve groups with at
least 256 bits, for the IKE SA and the Child SA.  While there, maybe we
should allow the same DH Groups for both IKE SA and Child SA, which
should gives us to ability to use PFS by default.  I do think adding
higher bit integrity transforms and adding AES-GCM makes sense as well.

ok?

Patrick

diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y
index 708165a7808..7615d20f8c9 100644
--- a/sbin/iked/parse.y
+++ b/sbin/iked/parse.y
@@ -129,13 +129,20 @@ struct iked_transform ikev2_default_ike_transforms[] = {
        { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 192 },
        { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 128 },
        { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_3DES },
+       { IKEV2_XFORMTYPE_PRF,  IKEV2_XFORMPRF_HMAC_SHA2_512 },
+       { IKEV2_XFORMTYPE_PRF,  IKEV2_XFORMPRF_HMAC_SHA2_384 },
        { IKEV2_XFORMTYPE_PRF,  IKEV2_XFORMPRF_HMAC_SHA2_256 },
        { IKEV2_XFORMTYPE_PRF,  IKEV2_XFORMPRF_HMAC_SHA1 },
+       { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_512_256 },
+       { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_384_192 },
        { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 },
        { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA1_96 },
        { IKEV2_XFORMTYPE_DH,   IKEV2_XFORMDH_MODP_2048 },
        { IKEV2_XFORMTYPE_DH,   IKEV2_XFORMDH_MODP_1536 },
        { IKEV2_XFORMTYPE_DH,   IKEV2_XFORMDH_MODP_1024 },
+       { IKEV2_XFORMTYPE_DH,   IKEV2_XFORMDH_ECP_521 },
+       { IKEV2_XFORMTYPE_DH,   IKEV2_XFORMDH_ECP_384 },
+       { IKEV2_XFORMTYPE_DH,   IKEV2_XFORMDH_ECP_256 },
        { 0 }
 };
 size_t ikev2_default_nike_transforms = ((sizeof(ikev2_default_ike_transforms) /
@@ -145,8 +152,19 @@ struct iked_transform ikev2_default_esp_transforms[] = {
        { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 256 },
        { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 192 },
        { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_CBC, 128 },
+       { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_GCM_16, 256 },
+       { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_GCM_16, 192 },
+       { IKEV2_XFORMTYPE_ENCR, IKEV2_XFORMENCR_AES_GCM_16, 128 },
+       { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_512_256 },
+       { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_384_192 },
        { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA2_256_128 },
        { IKEV2_XFORMTYPE_INTEGR, IKEV2_XFORMAUTH_HMAC_SHA1_96 },
+       { IKEV2_XFORMTYPE_DH,   IKEV2_XFORMDH_MODP_2048 },
+       { IKEV2_XFORMTYPE_DH,   IKEV2_XFORMDH_MODP_1536 },
+       { IKEV2_XFORMTYPE_DH,   IKEV2_XFORMDH_MODP_1024 },
+       { IKEV2_XFORMTYPE_DH,   IKEV2_XFORMDH_ECP_521 },
+       { IKEV2_XFORMTYPE_DH,   IKEV2_XFORMDH_ECP_384 },
+       { IKEV2_XFORMTYPE_DH,   IKEV2_XFORMDH_ECP_256 },
        { IKEV2_XFORMTYPE_ESN,  IKEV2_XFORMESN_ESN },
        { IKEV2_XFORMTYPE_ESN,  IKEV2_XFORMESN_NONE },
        { 0 }

iked: extend default transform list

Reply via email to