Date: Mon, 27 Jul 2015 17:57:30 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: freebsd-security@FreeBSD.org, freebsd-net@FreeBSD.org Subject: remove IPsec SKIPJACK support... Message-ID: <20150728005730.GL78154@funkthat.com>
next in thread | raw e-mail | index | archive | help
Upon doing some investigation, I have found that the SKIPJACK IPsec encryption mode was never standardized. It was a draft[1] back in 1999, but never made into an offical RFC, and IANA nor IETF never assigned an offical number for the mode. Skipjack is also a very weak cipher[2]. The largest key it supports is 80bits, which is really too weak for modern usage. FreeBSD's setkey doesn't support manually keying skipjack, so this means it depends upon a daemon to configure it. It looks like NetBSD has it at the same value (250) as FreeBSD, but OpenBSD has it at 249. So there may be interoperability issues with it. I would like to remove it from HEAD immediately as I don't see a use for it. Some time ago I proposed removing Skipjack from the OCF in 12, but personally, now that I think about how long 12 is, we deprecate these sooner rather than later. P.S. If you want to keep this mode, you have to say you are currently using the mode and include a working sample config. Thanks. [1] https://tools.ietf.org/html/draft-ietf-ipsec-skipjack-cbc-00 [2] https://en.wikipedia.org/wiki/Skipjack_(cipher) -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150728005730.GL78154>