[OmniOS-discuss] Logjam & IKE
danmcd at omniti.com
Wed May 20 12:44:57 UTC 2015
Security researchers published this recently:
This note (which should be forwarded to other illumos interest lists) briefly discusses how logjam affects the closed-source in.iked.
IKE can use one of many Diffie-Hellman groups both for establishing IKE's own security, and ALSO optionally for generating IPsec keying material. The former is specified by the "oakley_group", and the latter by the "p2_pfs" keyword. Now the ike.config(4) man page was recently updated to reflect the full range of available choices. I did discover (and sorry Eric for not catching this in code review) that p2_pfs accepts the same choices as the now-updated oakley_group parameter does. They follow, with markings around which ones I'd deprecate, and which ones I have naive questions about, were in.iked & libike.so open-source:
The Oakley Diffie-Hellman group used for IKE SA key derivation.
The group numbers are defined in RFC 2409, Appendix A, RFC
3526, and RFC 5114, section 3.2. Acceptable values are
1 (MODP 768-bit) ****** DO NOT USE ******
2 (MODP 1024-bit) ****** DO NOT USE ******
3 (EC2N 155-bit) ****** NOT SURE ******
4 (EC2N 185-bit) ****** NOT SURE ******
5 (MODP 1536-bit)
14 (MODP 2048-bit)
15 (MODP 3072-bit)
16 (MODP 4096-bit)
17 (MODP 6144-bit)
18 (MODP 8192-bit)
19 (ECP 256-bit)
20 (ECP 384-bit)
21 (ECP 521-bit)
22 (MODP 1024-bit, with 160-bit Prime Order Subgroup) ***** NOT SURE, but more sure than 1-4 *****
23 (MODP 2048-bit, with 224-bit Prime Order Subgroup)
24 (MODP 2048-bit, with 256-bit Prime Order Subgroup)
25 (ECP 192-bit)
26 (ECP 224-bit)
I don't think anyone in the audience who uses IPsec & IKE uses groups 1-4 anymore anyway (people who remember punchin from Sun should know I never/rarely accepted anything less than group 5).
IF you happen to be using Oakley groups 1-4, STOP. Had I access to the source, I'd compile these right out and set a flag day.
BTW, if you are using or providing SSL services, I'd highly recommend configuring them to avoid the weak DH groups mentioned in the URL above as well.
Dan McDonald -- OmniOS Engineering
p.s. I'm travelling today, so I won't be replying to mail until tonight at the earliest.
More information about the OmniOS-discuss