diff options
author | John Baldwin <jhb@FreeBSD.org> | 2020-05-02 00:06:58 +0000 |
---|---|---|
committer | John Baldwin <jhb@FreeBSD.org> | 2020-05-02 00:06:58 +0000 |
commit | 16aabb761c0a8e5fb120594fcce4f2bf79fad61e (patch) | |
tree | 62f2c0af310c3243e51cf8133e1261cff87ecf2d /sbin/setkey/sample.cf | |
parent | 4d7e9134bb1f9745229a350b5a3014af64650012 (diff) | |
download | src-16aabb761c0a8e5fb120594fcce4f2bf79fad61e.tar.gz src-16aabb761c0a8e5fb120594fcce4f2bf79fad61e.zip |
Remove support for IPsec algorithms deprecated in r348205 and r360202.
Examples of depecrated algorithms in manual pages and sample configs
are updated where relevant. I removed the one example of combining
ESP and AH (vs using a cipher and auth in ESP) as RFC 8221 says this
combination is NOT RECOMMENDED.
Specifically, this removes support for the following ciphers:
- des-cbc
- 3des-cbc
- blowfish-cbc
- cast128-cbc
- des-deriv
- des-32iv
- camellia-cbc
This also removes support for the following authentication algorithms:
- hmac-md5
- keyed-md5
- keyed-sha1
- hmac-ripemd160
Reviewed by: cem, gnn (older verisons)
Relnotes: yes
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D24342
Notes
Notes:
svn path=/head/; revision=360557
Diffstat (limited to 'sbin/setkey/sample.cf')
-rw-r--r-- | sbin/setkey/sample.cf | 79 |
1 files changed, 32 insertions, 47 deletions
diff --git a/sbin/setkey/sample.cf b/sbin/setkey/sample.cf index c534fa10f1c4..2a3485cdcd14 100644 --- a/sbin/setkey/sample.cf +++ b/sbin/setkey/sample.cf @@ -34,9 +34,9 @@ # parameters when you configure by manual keying. # ESP transport mode is recommended for TCP port number 110 between -# Host-A and Host-B. Encryption algorithm is blowfish-cbc whose key -# is "kamekame", and authentication algorithm is hmac-sha1 whose key -# is "this is the test key". +# Host-A and Host-B. Encryption algorithm is aes-cbc whose key +# is "kamekamekamekamekamekamekamekame", and authentication algorithm is +# hmac-sha2-512 whose key is "this is the test key". # # ============ ESP ============ # | | @@ -50,17 +50,17 @@ spdadd fec0::11[110] fec0::10[any] tcp -P in ipsec esp/transport//use ; add fec0::10 fec0::11 esp 0x10001 -m transport - -E blowfish-cbc "kamekame" - -A hmac-sha1 "this is the test key" ; + -E aes-cbc "kamekamekamekamekamekamekamekame" + -A hmac-sha2-512 "this is the test key" ; add fec0::11 fec0::10 esp 0x10002 -m transport - -E blowfish-cbc "kamekame" - -A hmac-sha1 "this is the test key" ; + -E aes-cbc "kamekamekamekamekamekamekamekame" + -A hmac-sha2-512 "this is the test key" ; # "[any]" is wildcard of port number. Note that "[0]" is the number of # zero in port number. -# Security protocol is old AH tunnel mode, i.e. RFC1826, with keyed-md5 +# Security protocol is old AH tunnel mode, i.e. RFC1826, with hmac-sha2-256 # whose key is "this is the test" as authentication algorithm. # That protocol takes place between Gateway-A and Gateway-B. # @@ -76,10 +76,10 @@ spdadd 10.0.2.0/24 10.0.1.0/24 any -P in ipsec ah/tunnel/172.16.0.2-172.16.0.1/require ; add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m any - -A keyed-md5 "this is the test" ; + -A hmac-sha2-256 "this is the test" ; add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m any - -A keyed-md5 "this is the test" ; + -A hmac-sha2-256 "this is the test" ; # If port number field is omitted such above then "[any]" is employed. # -m specifies the mode of SA to be used. "-m any" means wildcard of @@ -93,15 +93,15 @@ spdadd 10.0.1.0/24 10.0.2.0/24 any -P in ipsec ah/tunnel/172.16.0.1-172.16.0.2/require ; add 172.16.0.1 172.16.0.2 ah-old 0x10003 -m tunnel - -A keyed-md5 "this is the test" ; + -A hmac-sha2-256 "this is the test" ; add 172.16.0.2 172.16.0.1 ah-old 0x10004 -m tunnel - -A keyed-md5 "this is the test" ; + -A hmac-sha2-256 "this is the test" ; # AH transport mode followed by ESP tunnel mode is required between # Gateway-A and Gateway-B. -# Encryption algorithm is 3des-cbc, and authentication algorithm for ESP -# is hmac-sha1. Authentication algorithm for AH is hmac-md5. +# Encryption algorithm is aes-cbc, and authentication algorithm for ESP +# is hmac-sha2-512. Authentication algorithm for AH is hmac-sha2-256. # # ========== AH ========= # | ======= ESP ===== | @@ -118,25 +118,25 @@ spdadd fec0:0:0:2::/64 fec0:0:0:1::/64 any -P in ipsec ah/transport//require ; add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10001 -m tunnel - -E 3des-cbc "kamekame12341234kame1234" - -A hmac-sha1 "this is the test key" ; + -E aes-cbc "kamekame12341234kamekame12341234" + -A hmac-sha2-512 "this is the test key" ; add fec0:0:0:1::1 fec0:0:0:2::1 ah 0x10001 -m transport - -A hmac-md5 "this is the test" ; + -A hmac-sha2-256 "this is the test" ; add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10001 -m tunnel - -E 3des-cbc "kamekame12341234kame1234" - -A hmac-sha1 "this is the test key" ; + -E aes-cbc "kamekame12341234kamekame12341234" + -A hmac-sha2-512 "this is the test key" ; add fec0:0:0:2::1 fec0:0:0:1::1 ah 0x10001 -m transport - -A hmac-md5 "this is the test" ; + -A hmac-sha2-256 "this is the test" ; # ESP tunnel mode is required between Host-A and Gateway-A. -# Encryption algorithm is cast128-cbc, and authentication algorithm -# for ESP is hmac-sha1. +# Encryption algorithm is aes-cbc, and authentication algorithm +# for ESP is hmac-sha2-256. # ESP transport mode is recommended between Host-A and Host-B. -# Encryption algorithm is rc5-cbc, and authentication algorithm -# for ESP is hmac-md5. +# Encryption algorithm is aes-ctr, and authentication algorithm +# for ESP is hmac-sha2-512. # # ================== ESP ================= # | ======= ESP ======= | @@ -153,18 +153,18 @@ spdadd fec0:0:0:2::1[80] fec0:0:0:1::1[any] tcp -P in ipsec esp/tunnel/fec0:0:0:2::1-fec0:0:0:1::1/require ; add fec0:0:0:1::1 fec0:0:0:2::2 esp 0x10001 -m transport - -E cast128-cbc "12341234" - -A hmac-sha1 "this is the test key" ; + -E aes-cbc "kamekame12341234kamekame12341234" + -A hmac-sha2-256 "this is the test key" ; add fec0:0:0:1::1 fec0:0:0:2::1 esp 0x10002 - -E rc5-cbc "kamekame" - -A hmac-md5 "this is the test" ; + -E aes-ctr "kamekame12341234kamekame12341234f00f" + -A hmac-sha2-512 "this is the test" ; add fec0:0:0:2::2 fec0:0:0:1::1 esp 0x10003 -m transport - -E cast128-cbc "12341234" - -A hmac-sha1 "this is the test key" ; + -E aes-cbc "kamekame12341234kamekame12341234" + -A hmac-sha2-256 "this is the test key" ; add fec0:0:0:2::1 fec0:0:0:1::1 esp 0x10004 - -E rc5-cbc "kamekame" - -A hmac-md5 "this is the test" ; + -E aes-ctr "kamekame12341234kamekame12341234f00f" + -A hmac-sha2-512 "this is the test" ; # By "get" command, you can get a entry of either SP or SA. get fec0:0:0:1::1 fec0:0:0:2::2 ah 0x10004 ; @@ -189,29 +189,14 @@ flush ah ; # XXX add ::1 ::1 esp 10001 -m transport -E null ; -add ::1 ::1 esp 10002 -m transport -E des-deriv "12341234" ; -add ::1 ::1 esp-old 10003 -m transport -E des-32iv "12341234" ; add ::1 ::1 esp 10004 -m transport -E null -A null ; -add ::1 ::1 esp 10005 -m transport -E null -A hmac-md5 "1234123412341234" ; add ::1 ::1 esp 10006 -m tunnel -E null -A hmac-sha1 "12341234123412341234" ; -add ::1 ::1 esp 10007 -m transport -E null -A keyed-md5 "1234123412341234" ; -add ::1 ::1 esp 10008 -m any -E null -A keyed-sha1 "12341234123412341234" ; -add ::1 ::1 esp 10009 -m transport -E des-cbc "testtest" ; -add ::1 ::1 esp 10010 -m transport -E 3des-cbc "testtest12341234testtest" ; -add ::1 ::1 esp 10011 -m tunnel -E cast128-cbc "testtest1234" ; -add ::1 ::1 esp 10012 -m tunnel -E blowfish-cbc "testtest1234" ; -add ::1 ::1 esp 10013 -m tunnel -E rc5-cbc "testtest1234" ; -add ::1 ::1 esp 10014 -m any -E rc5-cbc "testtest1234" ; add ::1 ::1 esp 10015 -m transport -f zero-pad -E null ; add ::1 ::1 esp 10016 -m tunnel -f random-pad -r 8 -lh 100 -ls 80 -E null ; add ::1 ::1 esp 10017 -m transport -f seq-pad -f nocyclic-seq -E null ; add ::1 ::1 esp 10018 -m transport -E null ; #add ::1 ::1 ah 20000 -m transport -A null ; -add ::1 ::1 ah 20001 -m any -A hmac-md5 "1234123412341234"; add ::1 ::1 ah 20002 -m tunnel -A hmac-sha1 "12341234123412341234"; -add ::1 ::1 ah 20003 -m transport -A keyed-md5 "1234123412341234"; -add ::1 ::1 ah-old 20004 -m transport -A keyed-md5 "1234123412341234"; -add ::1 ::1 ah 20005 -m transport -A keyed-sha1 "12341234123412341234"; #add ::1 ::1 ipcomp 30000 -C oui ; add ::1 ::1 ipcomp 30001 -C deflate ; #add ::1 ::1 ipcomp 30002 -C lzs ; |