On 2020/04/28 01:09, Tobias Heider wrote:
> Hi,
>
> the EC2N family of curves have been marked as insecure for at least 10 years.
> In fact, IANA has stopped listing them altogether [1].
> Their former IDs are now 'reserved'.
>
> I think it's time for us to drop them as well.
>
> ok?
I agree with dropping them. Timing-wise perhaps it's better to do it
after release (possible text for upgrade notes below); OTOH probably
nobody really uses ec2n so it's not all that likely to hurt users (we
can use similar text but say "prior to upgrade, add alternative groups
[...]" instead).
"The insecure ec2n D-H groups will be removed from iked in the next
release; if you are using these, add alternative groups to ikesa/childsa
in iked.conf, then you can move clients across one by one and remove
the ec2n groups in advance of 6.8.
While removal of other groups is not imminent, some are considered
insecure (768-bit MODP, group 1) or weak (1024- and 1536-bit MODP,
groups 2 and 5). Prefer curve25519, an ECP group of 256 bits or
more, or a MODP group of 2048 bits or more."
> Index: iked.conf.5
> ===================================================================
> RCS file: /cvs/src/sbin/iked/iked.conf.5,v
> retrieving revision 1.66
> diff -u -p -r1.66 iked.conf.5
> --- iked.conf.5 27 Apr 2020 22:40:09 -0000 1.66
> +++ iked.conf.5 27 Apr 2020 22:58:24 -0000
> @@ -909,8 +909,6 @@ keyword:
> .It Em Name Ta Em Group Ta Em Size Ta Em Type
> .It Li modp768 Ta grp1 Ta 768 Ta "MODP"
> .It Li modp1024 Ta grp2 Ta 1024 Ta "MODP"
.It Li modp768 Ta grp1 Ta 768 Ta "MODP" [insecure]
.It Li modp1024 Ta grp2 Ta 1024 Ta "MODP" [weak]
> -.It Li ec2n155 Ta grp3 Ta 155 Ta "EC2N [insecure]"
> -.It Li ec2n185 Ta grp4 Ta 185 Ta "EC2N [insecure]"
> .It Li modp1536 Ta grp5 Ta 1536 Ta "MODP"
.It Li modp1536 Ta grp5 Ta 1536 Ta "MODP" [weak]
I guess we should sprinkle some other weak/insecure in the manual
too but this is a start.
> .It Li modp2048 Ta grp14 Ta 2048 Ta "MODP"
> .It Li modp3072 Ta grp15 Ta 3072 Ta "MODP"
> @@ -931,11 +929,8 @@ keyword:
> .Pp
> The currently supported group types are either
> MODP (exponentiation groups modulo a prime),
> -EC2N (elliptic curve groups over GF[2^N]),
> ECP (elliptic curve groups modulo a prime),
> or Curve25519.
> -Please note that the EC2N groups are considered as insecure and only
> -provided for backwards compatibility.
Please note that MODP groups of less than 2048 bits are considered
as weak or insecure (see RFC 8247 section 2.4) and only provided for
backwards compatibility.
> --- dh.h 27 Oct 2017 14:26:35 -0000 1.11
> +++ dh.h 27 Apr 2020 22:58:24 -0000
> @@ -21,7 +21,6 @@
>
> enum group_type {
> GROUP_MODP = 0,
> - GROUP_EC2N = 1,
> GROUP_ECP = 2,
> GROUP_CURVE25519 = 3
> };
Should the others be renumbered so that somebody looking later doesn't
have to figure out why there's a gap?
