From owner-freebsd-net@FreeBSD.ORG Mon Jan 3 10:24:08 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 73CA91065670 for ; Mon, 3 Jan 2011 10:24:08 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id 31AB78FC17 for ; Mon, 3 Jan 2011 10:24:07 +0000 (UTC) Received: from astro.zen.inc (astro.zen.inc [192.168.1.239]) by smtp.zeninc.net (smtpd) with ESMTP id C3C342798BC for ; Mon, 3 Jan 2011 11:07:11 +0100 (CET) Received: by astro.zen.inc (Postfix, from userid 1000) id A76D517056; Mon, 3 Jan 2011 11:07:11 +0100 (CET) Date: Mon, 3 Jan 2011 11:07:11 +0100 From: VANHULLEBUS Yvan To: freebsd-net@freebsd.org Message-ID: <20110103100711.GA65026@zeninc.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: All mail clients suck. This one just sucks less. Subject: IPsec: HMAC_SHA2 and RFC 4868.... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jan 2011 10:24:08 -0000 Hi all. Actually, FreeBSD's support of HMAC_SHA2 is NOT RFC 4868 compliant: it uses 96 first bits of hash (which was specified by first versions of the draft), where RFC says we MUST use half of SHA2 hash. I have a patch which is almost ready to be commited to fix RFC 4868 interoperability (so interoperability with recent Linux / OpenBSD stacks)....... but which will break interoperability with actual FreeBSD stacks, NetBSD's ones (still not checked, but I'll commit also soon on NetBSD if the patch applies quickly), and probably other broken implementations. This is NOT possible to have a very smart system which will set up HMAC_SHA2 support by peer, as there is no way to check during negociation if peers have the RFC compliant implementation or not. We may implement a sysctl token to switch from old implementation to RFC compliant one, but this would apply on the whole system, so for ALL IPsec peers ! Oh, and I'll have quite no time available to do some strange hacks to ehance interoperability with old (well, actual....) implementation, as we never used the non RFC compliant version at my work..... So, my first question is: do some people use HMAC_SHA2 for IPsec phase 2 on their FreeBSD gates ??? If there are (almost) no real world uses of the actuel code, the simplest, cleanest (and already done by Linux/OpenBSD) way to deal with that is to just commit RFC compliant code, and let people who may want older code to play with SVN and get the reverse patch..... Last information: MFC is quite trivial, at least up to FreeBSD 6.x. Yvan.