Project

General

Profile

Actions

Todo #13648

closed

Remove deprecated IPsec algorithms (3DES, Blowfish, and CAST 128 encryption; MD5 HMAC/Hashing)

Added by Jim Pingle about 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.01
Release Notes:
Default

Description

FreeBSD removed support for several obsolete ciphers from its IPsec stack. See https://cgit.freebsd.org/src/commit/?id=16aabb761c0a8e5fb120594fcce4f2bf79fad61e

The relevant removed entries appear to be

  • 3DES
  • Blowfish
  • Cast128
  • MD5 HMAC authentication.

We need to remove these from the the IPsec GUI and add upgrade code to disable any tunnels using them and document this removal for users.

NOTE: The MD5 variants removed here should not affect FRR/BGP. From the look of the FreeBSD source code, tcp-md5 remains in place and that's what is used by FRR.

These changes are mostly implemented now by Kristof, from MR https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/915 (f9cfd6bc0c3674382a87fe07ba00a3a5365c1744, ee9bbad1ce23989515dfb061ef087180c0514cb8, 807e91174169614c7f5402d66de88f924a48febd)

In addition to the current code, I'm going to try a more fine-grained approach where instead of disabling entire entries it only disables or skips entries with deprecated ciphers. If there are none left, then the whole P1/P2 can be disabled. This would be smoother for the user since they may need the IPsec tunnel to manage the router and it may not actually be using the outdated ciphers.

What we have in place is good enough for a start, though, I'll work on refining it and see how that goes.


Related issues

Related to Feature #13647: Support for ChaCha20-Poly1305 encryption with IPsecResolvedKristof Provost

Actions
Actions

Also available in: Atom PDF