Bug 201853 - insecure aggressive mode is preferred against more secure main mode in generated configuration
insecure aggressive mode is preferred against more secure main mode in genera...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: initscripts (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Brock Organ
:
Depends On:
Blocks: 475337
  Show dependency treegraph
 
Reported: 2006-08-09 10:10 EDT by Peter Bieringer
Modified: 2014-03-16 23:01 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-12-08 16:56:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch which adds support for some more IPsec parameters (1.84 KB, patch)
2006-08-10 05:48 EDT, Peter Bieringer
no flags Details | Diff
patch which adds support for some more IPsec parameters #2 (1.99 KB, text/x-patch)
2006-08-10 06:01 EDT, Peter Bieringer
no flags Details

  None (edit)
Description Peter Bieringer 2006-08-09 10:10:46 EDT
Description of problem:

By ifup-ipsec created peer configuration, insecure aggressive mode is preferred
against more secure main mode.

Version-Release number of selected component (if applicable):
ipsec-tools-0.3.3-6.rhel4.1 (RHEL)
ipsec-tools-0.6.4-1.1 (FC5)

How reproducible:
Always


Steps to Reproduce:
1. Create /etc/sysconfig/network-scripts/ifcfg-ipsec0 like

SRC=192.0.2.1
DST=192.0.2.2
TYPE=IPSEC

IKE_METHOD=PSK
IKE_PSK=secret

2. ifup ipsec0



Actual results:

remote 192.0.2.2
{
        exchange_mode aggressive, main;
        my_identifier address;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2 ;
        }
}



Expected results:

remote 192.0.2.2
{
        exchange_mode main, aggressive;
...

Additional info:

Any good reason why the order is "aggressive, main"?

If 2 hosts now using the same setup scripts (e.g. both are RH powered),
aggressive mode would be used.


Also it would be good if this can be controlled by a configuration parameter, e.g.

IKE_MODE=aggressive|main|any
Comment 1 Peter Bieringer 2006-08-09 11:45:55 EDT
BTW: would be great if other parameters would also be optionally configurable, e.g.
 - dh_group (2 = 1024 is also not so secure than upper ones).
 - lifetime

Note also that for automatic keying, neither AH nor ESP can be selected for
phase 2 (IPsec negotiation) and will always default to "sha1" and "3des-cbc"

Topology part is completly missing in configuration like:

# host-to-host
sainfo address 192.0.1.1 any address 192.0.1.2 any
{
        lifetime time 1 hour;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5 ;
        compression_algorithm deflate ;
}
Comment 2 Bill Nottingham 2006-08-09 11:48:26 EDT
It's done to decrease connection overhead; I can see making it a configuration
parameter. However, I suspect the more complex of an ipsec configuration you
have, the more likely it is that you should just edit raccoon.conf directly.
Comment 3 Peter Bieringer 2006-08-09 11:55:22 EDT
Hmm, at least phase 2 should be supported in some way. Problem is, if I apply
changes to the file 192.0.2.1.conf directly, they are overwritten, if
ifcfg-ipsec0 is changed.

And if I setup my own racoon.conf file, I run into the problem, that there is no
standalone start script provided for racoon - and as I had to learn from
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136901 this is a feature
and not a bug...
Comment 4 Peter Bieringer 2006-08-10 05:48:53 EDT
Created attachment 133921 [details]
patch which adds support for some more IPsec parameters

Following variables are now supported (and shown with an example):

IKE_EXCHANGE_MODE=main
IKE_DH_GROUP=5
IPSEC_ESP_PROTO=aes128
IPSEC_AH_PROTO=hmac_sha1
IPSEC_LIFETIME="1 hour"
IPSEC_PFS_GROUP=5
Comment 5 Peter Bieringer 2006-08-10 05:59:50 EDT
Some forgotten comments:
- patch is successfully tested in host-to-host mode, can't currently test for
net-to-net mode

- patch cotains also a fix that prevents creation of dedicated conf file with
standard umask permissions 0644, it reduces this to 0600 like racoon.conf has set

- if no of the new introduced parameters are given, still a topology would be
created. This was shown as compatible here to a still unpatched ifup-ipsec file.
But for clean backward compatibility, I will now provide a new version which
explictly only creates topology, if one or more new introduced IPSEC* parameters
are given.
Comment 6 Peter Bieringer 2006-08-10 06:01:04 EDT
Created attachment 133924 [details]
patch which adds support for some more IPsec parameters #2
Comment 7 Bill Nottingham 2008-12-08 16:56:45 EST
This is unlikely to change for RHEL 4 at this point. I'm cloning this bug for the development stream.

Note You need to log in before you can comment on or make changes to this bug.