Page MenuHomeVyOS Platform
Create Task
Maniphest T8071

AES-GCM algorithms in IPSEC do not need hash
Closed, WontfixPublicENHANCEMENT
Actions

Description

AES-GCM algorithm family for IPSEC does not require authentication (i.e. hash) since authentication is part of the GCM scheme, however, when setting set vpn ipsec ike-group ... proposal ... or set vpn ipsec esp-group ... proposal ... and hash is not specified it defaults to sha1 and added automatically. This is rather misleading.

A more appropriate solution would be is:

  1. To not provide any default if hash is not specified.
  2. Configuration validation should fail to commit if GCM mode (or any other authenticated algorithm) AND hash specified together. And the logic should be reversed for when CBC (or similar) algorithms are specified but no hash has been provided.

Details

Version
-
Is it a breaking change?
Stricter validation
Issue type
Unspecified (please specify)

Event Timeline

dtoux created this task.Thu, Dec 4, 9:41 PM
dtoux updated the task description. (Show Details)
dtoux updated the task description. (Show Details)Thu, Dec 4, 9:47 PM
dtoux closed this task as Wontfix.Fri, Dec 5, 2:55 AM
dtoux claimed this task.

It seems that, even though this is technically true, the strongswan seems require hash for negotiation. So, it is probably better not to rock the boat.

pasik subscribed.Fri, Dec 5, 11:49 AM