From owner-freebsd-net@freebsd.org Tue Jul 28 00:57:31 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DA38D9ABAC4; Tue, 28 Jul 2015 00:57:31 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "gold.funkthat.com", Issuer "gold.funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id BD86DDAF; Tue, 28 Jul 2015 00:57:31 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.14.5/8.14.5) with ESMTP id t6S0vUQD075299 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 27 Jul 2015 17:57:30 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.14.5/8.14.5/Submit) id t6S0vUdG075298; Mon, 27 Jul 2015 17:57:30 -0700 (PDT) (envelope-from jmg) Date: Mon, 27 Jul 2015 17:57:30 -0700 From: John-Mark Gurney To: freebsd-security@FreeBSD.org, freebsd-net@FreeBSD.org Subject: remove IPsec SKIPJACK support... Message-ID: <20150728005730.GL78154@funkthat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Operating-System: FreeBSD 9.1-PRERELEASE amd64 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (gold.funkthat.com [127.0.0.1]); Mon, 27 Jul 2015 17:57:30 -0700 (PDT) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2015 00:57:32 -0000 Upon doing some investigation, I have found that the SKIPJACK IPsec encryption mode was never standardized. It was a draft[1] back in 1999, but never made into an offical RFC, and IANA nor IETF never assigned an offical number for the mode. Skipjack is also a very weak cipher[2]. The largest key it supports is 80bits, which is really too weak for modern usage. FreeBSD's setkey doesn't support manually keying skipjack, so this means it depends upon a daemon to configure it. It looks like NetBSD has it at the same value (250) as FreeBSD, but OpenBSD has it at 249. So there may be interoperability issues with it. I would like to remove it from HEAD immediately as I don't see a use for it. Some time ago I proposed removing Skipjack from the OCF in 12, but personally, now that I think about how long 12 is, we deprecate these sooner rather than later. P.S. If you want to keep this mode, you have to say you are currently using the mode and include a working sample config. Thanks. [1] https://tools.ietf.org/html/draft-ietf-ipsec-skipjack-cbc-00 [2] https://en.wikipedia.org/wiki/Skipjack_(cipher) -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."