|
 |
f3d21b |
From 13720e0dedcab1eaf3334a73a42b68581acd9f3b Mon Sep 17 00:00:00 2001
|
|
|
f3d21b |
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
|
|
f3d21b |
Date: Fri, 7 Jan 2022 18:36:47 -0500
|
|
|
f3d21b |
Subject: [PATCH] ikev1-policy defaults to drop
|
|
|
f3d21b |
|
|
|
f3d21b |
IKEv2 has been available for 16 years (RFC 4306 was published December
|
|
|
f3d21b |
2005). At some point, we should be discouraging IKEv1 adoption.
|
|
|
f3d21b |
|
|
|
f3d21b |
To the extent that a user needs IKEv1, they can manually add
|
|
|
f3d21b |
ikev1-policy=accept to /etc/ipsec.conf.
|
|
|
f3d21b |
---
|
|
|
f3d21b |
configs/d.ipsec.conf/ikev1-policy.xml | 7 ++++---
|
|
|
f3d21b |
include/ipsecconf/keywords.h | 2 +-
|
|
|
f3d21b |
lib/libipsecconf/confread.c | 1 +
|
|
|
f3d21b |
programs/pluto/server.c | 5 -----
|
|
|
f3d21b |
4 files changed, 6 insertions(+), 9 deletions(-)
|
|
|
f3d21b |
|
|
|
f3d21b |
diff --git a/configs/d.ipsec.conf/ikev1-policy.xml b/configs/d.ipsec.conf/ikev1-policy.xml
|
|
|
f3d21b |
index 17d1747e3b..3bd6702564 100644
|
|
|
f3d21b |
--- a/configs/d.ipsec.conf/ikev1-policy.xml
|
|
|
f3d21b |
+++ b/configs/d.ipsec.conf/ikev1-policy.xml
|
|
|
f3d21b |
@@ -3,9 +3,10 @@
|
|
|
f3d21b |
<listitem>
|
|
|
f3d21b |
<para>
|
|
|
f3d21b |
What to do with received IKEv1 packets. Valid options are
|
|
|
f3d21b |
-<emphasis remap='B'>accept</emphasis> (default), <emphasis remap='B'>reject</emphasis> which
|
|
|
f3d21b |
-will reply with an error, and <emphasis remap='B'>drop</emphasis> which will silently drop
|
|
|
f3d21b |
-any received IKEv1 packet. If this option is set to drop or reject, an attempt to load an
|
|
|
f3d21b |
+<emphasis remap='B'>drop</emphasis> (default) which will silently drop
|
|
|
f3d21b |
+any received IKEv1 packet, <emphasis remap='B'>accept</emphasis>, and
|
|
|
f3d21b |
+<emphasis remap='B'>reject</emphasis> which will reply with an error.
|
|
|
f3d21b |
+If this option is set to drop or reject, an attempt to load an
|
|
|
f3d21b |
IKEv1 connection will fail, as these connections would never be able to receive a packet
|
|
|
f3d21b |
for processing.
|
|
|
f3d21b |
</para>
|
|
|
f3d21b |
diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h
|
|
|
f3d21b |
index 660847733c..31b519242a 100644
|
|
|
f3d21b |
--- a/include/ipsecconf/keywords.h
|
|
|
f3d21b |
+++ b/include/ipsecconf/keywords.h
|
|
|
f3d21b |
@@ -111,7 +111,7 @@ enum keyword_numeric_config_field {
|
|
|
f3d21b |
|
|
|
f3d21b |
KBF_LISTEN_TCP, /* listen on TCP port 4500 - default no */
|
|
|
f3d21b |
KBF_LISTEN_UDP, /* listen on UDP port 500/4500 - default yes */
|
|
|
f3d21b |
- KBF_GLOBAL_IKEv1, /* global ikev1 policy - default accept */
|
|
|
f3d21b |
+ KBF_GLOBAL_IKEv1, /* global ikev1 policy - default drop */
|
|
|
f3d21b |
KBF_ROOF
|
|
|
f3d21b |
};
|
|
|
f3d21b |
|
|
|
f3d21b |
diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
|
|
|
f3d21b |
index 5b5aba723f..68fbccf442 100644
|
|
|
f3d21b |
--- a/lib/libipsecconf/confread.c
|
|
|
f3d21b |
+++ b/lib/libipsecconf/confread.c
|
|
|
f3d21b |
@@ -95,6 +95,7 @@ static void ipsecconf_default_values(struct starter_config *cfg)
|
|
|
f3d21b |
/* Don't inflict BSI requirements on everyone */
|
|
|
f3d21b |
SOPT(KBF_SEEDBITS, 0);
|
|
|
f3d21b |
SOPT(KBF_DROP_OPPO_NULL, false);
|
|
|
f3d21b |
+ SOPT(KBF_GLOBAL_IKEv1, GLOBAL_IKEv1_DROP);
|
|
|
f3d21b |
|
|
|
f3d21b |
#ifdef HAVE_LABELED_IPSEC
|
|
|
f3d21b |
SOPT(KBF_SECCTX, SECCTX);
|
|
|
f3d21b |
--
|
|
|
f3d21b |
2.34.1
|
|
|
f3d21b |
|