Bug 1077641
Summary: | Cisco 2811 & OpenSWAN SHA256 truncate bug | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Joe Madden <joe.madden> |
Component: | openswan | Assignee: | Paul Wouters <pwouters> |
Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.5 | CC: | joe.madden |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-03-18 19:36:16 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Joe Madden
2014-03-18 10:49:56 UTC
Interesting, that seems to indicate that the remote cisco also implements a draft version of the SHA2-256 truncation instead of the final RFC version. It would be good to have the cisco firmware version for documentation purposes. regardless, you already fixed the problem. The sha2_truncbug=yes option tells the kernel to use the broken non-RFC truncation to interop with the broken device. So I am not sure why you are reporting this as an openswan bug? From the man page: sha2_truncbug The default hash truncation for sha2_256 is 128 bits. Linux implemented the draft version which stated 96 bits. This option enables using the bad 96 bits version to interop with older linux kernels (unpatched version 2.6.33 and older) and openswan versions before 2.6.38. Currently the accepted values are no, (the default) signifying default IETF truncation of 128 bits, or yes, signifying 96 bits broken Linux kernel style truncation. Hi there, Sorry i jumped the gun raising this ticket but as of IOS 15.2 (4) M5 proper SHA256_128 is not supported. They also have no plan for this to be fixed in IKE V1. From: Madden, Joe Sent: 18 March 2014 14:43 To: Patrick, David J; Patton, Eamonn J; Patton Eamonn (HA) (Eamonn.Patton.gov.uk) Subject: FW: 629604779 : CISCO2911-SEC/K9 // Error message. No traffic flow Stuck using 96bit! Looks like my hunch was right. There VPN uses SHA2_256_96bit Joe. From: Suleiman Suleiman -X (sulsulei) [sulsulei] Sent: 18 March 2014 14:35 To: Madden, Joe Cc: attach Subject: RE: 629604779 : CISCO2911-SEC/K9 // Error message. No traffic flow Hi Joe, I can see that RFC4868 is supported but only for Ikev2 and next generation routers, http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115730-flexvpn-suiteb-00.html I cannot see any plans to add this for Ikev1 and first generation routers. Waiting for your feedback Suleiman From: Madden, Joe [Joe.Madden] Sent: Tuesday, March 18, 2014 4:16 PM To: Suleiman Suleiman -X (sulsulei) Cc: attach Subject: RE: 629604779 : CISCO2911-SEC/K9 // Error message. No traffic flow Hi Suleiman, That’s fine, that calcifies why it does not work. However can you confirm if cisco will ever properly implement RFC4868? As the HMAC-SHA-256-96 is not the correct standard. Thanks Joe. From: Suleiman Suleiman -X (sulsulei) [sulsulei] Sent: 18 March 2014 14:14 To: Madden, Joe Cc: attach Subject: RE: 629604779 : CISCO2911-SEC/K9 // Error message. No traffic flow Hi Joe, Exactly, I believe that this is the case here, our router is configured to use HMAC-SHA-256-96 while the openswan is using HMAC-SHA-256-128. Please let me know how you would like to proceed. Thanks in advance Suleiman This can be closed now! Thanks for the vendor/firmware information |