Blob Blame History Raw
From 13720e0dedcab1eaf3334a73a42b68581acd9f3b Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Fri, 7 Jan 2022 18:36:47 -0500
Subject: [PATCH] ikev1-policy defaults to drop

IKEv2 has been available for 16 years (RFC 4306 was published December
2005).  At some point, we should be discouraging IKEv1 adoption.

To the extent that a user needs IKEv1, they can manually add
ikev1-policy=accept to /etc/ipsec.conf.
---
 configs/d.ipsec.conf/ikev1-policy.xml | 7 ++++---
 include/ipsecconf/keywords.h          | 2 +-
 lib/libipsecconf/confread.c           | 1 +
 programs/pluto/server.c               | 5 -----
 4 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/configs/d.ipsec.conf/ikev1-policy.xml b/configs/d.ipsec.conf/ikev1-policy.xml
index 17d1747e3b..3bd6702564 100644
--- a/configs/d.ipsec.conf/ikev1-policy.xml
+++ b/configs/d.ipsec.conf/ikev1-policy.xml
@@ -3,9 +3,10 @@
   <listitem>
 <para>
 What to do with received IKEv1 packets. Valid options are
-<emphasis remap='B'>accept</emphasis> (default), <emphasis remap='B'>reject</emphasis> which
-will reply with an error, and <emphasis remap='B'>drop</emphasis> which will silently drop
-any received IKEv1 packet. If this option is set to drop or reject, an attempt to load an
+<emphasis remap='B'>drop</emphasis> (default) which will silently drop
+any received IKEv1 packet, <emphasis remap='B'>accept</emphasis>, and
+<emphasis remap='B'>reject</emphasis> which will reply with an error.
+If this option is set to drop or reject, an attempt to load an
 IKEv1 connection will fail, as these connections would never be able to receive a packet
 for processing.
 </para>
diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h
index 660847733c..31b519242a 100644
--- a/include/ipsecconf/keywords.h
+++ b/include/ipsecconf/keywords.h
@@ -111,7 +111,7 @@ enum keyword_numeric_config_field {
 
 	KBF_LISTEN_TCP,		/* listen on TCP port 4500 - default no */
 	KBF_LISTEN_UDP,		/* listen on UDP port 500/4500 - default yes */
-	KBF_GLOBAL_IKEv1,	/* global ikev1 policy - default accept */
+	KBF_GLOBAL_IKEv1,	/* global ikev1 policy - default drop */
 	KBF_ROOF
 };
 
diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c
index 5b5aba723f..68fbccf442 100644
--- a/lib/libipsecconf/confread.c
+++ b/lib/libipsecconf/confread.c
@@ -95,6 +95,7 @@ static void ipsecconf_default_values(struct starter_config *cfg)
 	/* Don't inflict BSI requirements on everyone */
 	SOPT(KBF_SEEDBITS, 0);
 	SOPT(KBF_DROP_OPPO_NULL, false);
+	SOPT(KBF_GLOBAL_IKEv1, GLOBAL_IKEv1_DROP);
 
 #ifdef HAVE_LABELED_IPSEC
 	SOPT(KBF_SECCTX, SECCTX);
diff --git a/programs/pluto/server.c b/programs/pluto/server.c
index 665f0ed8b9..448dbca076 100644
--- a/programs/pluto/server.c
+++ b/programs/pluto/server.c
@@ -188,12 +188,7 @@ bool pluto_listen_tcp = false;
 enum ddos_mode pluto_ddos_mode = DDOS_AUTO; /* default to auto-detect */
 
 enum global_ikev1_policy pluto_ikev1_pol =
-#ifdef USE_IKEv1
-	 GLOBAL_IKEv1_ACCEPT;
-#else
-	/* there is no IKEv1 code compiled in to send a REJECT */
 	GLOBAL_IKEv1_DROP;
-#endif
 
 #ifdef HAVE_SECCOMP
 enum seccomp_mode pluto_seccomp_mode = SECCOMP_DISABLED;
-- 
2.34.1