From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH] vpnmain.cgi: Mark MODP-1536 as broken, phase out MODP-2048
Date: Sat, 06 Aug 2022 13:02:27 +0100
Message-ID: <22656F55-C066-4C42-B823-D751C747944F@ipfire.org>
In-Reply-To: <ca2f848c-f6c0-8f62-31b2-94b30827b308@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4553856617961150711=="
List-Id: <development.lists.ipfire.org>

--===============4553856617961150711==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Peter,

> On 6 Aug 2022, at 08:17, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wro=
te:
>=20
> https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf (released in
> 2015) recommends "to use primes of 2048 bits or larger", to which BSI's
> techical guideline BSI-TR-02102 (https://www.bsi.bund.de/SharedDocs/Downloa=
ds/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf?__blob=
=3DpublicationFile&v=3D5)
> concurs. The latter also recommends not to use DH groups comprising of
> less than 2000 bits after 2022, and shift to 3000 bit DH groups earlier
> as a precaution.
>=20
> According to RFC 3526, section 8, MODP-1536 provides an estimated
> security between 90 and 120 bits, a value that can be reasonably
> considered broken today, as it has been so for other types of
> cryptographic algorithms already, and per section 2.4 in the
> aforementioned paper, breaking 1024-bit DH is considered feasible for
> the NSA in 2015, which does not inspire confidence for MODP-1536 in
> 2022.

I generally agree with that statement.

In my personal opinion, I believe that we should not be using any of the MODP=
 options any more. Not because they are inherently broken, but we would need =
longer key lengths which are incredibly hard to generate for >=3D4096 bits - =
depending on your hardware. Very often, IPFire is not talking to another IPFi=
re instance, and that is where it gets really interesting.

However, having said that there are lots of bad devices out there, plenty don=
=E2=80=99t support any ECC - not even speaking of Curve25519. They have no HW=
RNGs and slow CPUs which are unable to even produce a 2048 bit prime - but ma=
ny of them barely manage.

The reason why MODP-2048 is enabled is, because it makes IPFire more compatib=
le with other devices out there. The intention is that a tunnel comes up with=
out the user visiting the =E2=80=9CAdvanced Settings=E2=80=9D. We do not show=
 any indication in the web UI at all if there is a cipher mismatch. So how el=
se is the user supposed to find out?

> Therefore, this patch suggests to mark MODP-1536 as broken, since it
> de facto is, and tag MODP-2048 as weak. The latter is also removed from
> the default selection, so newly created VPN connections won't use it
> anymore, to follow BSI's recommendations of using DH groups >=3D 3000 bits
> in 2022 and later.

I agree with the recommendation, although MODP-3072 is probably a bit pointle=
ss. It feels too odd to me, and I am sure that devices that support anything =
better than 2048 would support 4096 as well.

I agree with 2048 being marked as weak, but I do not agree with taking it out=
 of the default list. It shouldn=E2=80=99t be on there, but we would make the=
 setup process a lot more complicated for users.

-Michael

> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
> ---
> html/cgi-bin/vpnmain.cgi | 14 +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
>=20
> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
> index 3652627e9..9828b2f9e 100644
> --- a/html/cgi-bin/vpnmain.cgi
> +++ b/html/cgi-bin/vpnmain.cgi
> @@ -2,7 +2,7 @@
> ###########################################################################=
####
> #                                                                          =
   #
> # IPFire.org - A linux based firewall                                      =
   #
> -# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>               =
      #
> +# Copyright (C) 2007-2022  IPFire Team  <info(a)ipfire.org>               =
      #
> #                                                                          =
   #
> # This program is free software: you can redistribute it and/or modify     =
   #
> # it under the terms of the GNU General Public License as published by     =
   #
> @@ -2360,11 +2360,11 @@ END
> 	#use default advanced value
> 	$cgiparams{'IKE_ENCRYPTION'}	=3D 'chacha20poly1305|aes256gcm128|aes256gcm9=
6|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128=
|aes128gcm96|aes128gcm64|aes128'; #[18];
> 	$cgiparams{'IKE_INTEGRITY'}		=3D 'sha2_512|sha2_256'; #[19];
> -	$cgiparams{'IKE_GROUPTYPE'}             =3D 'curve448|curve25519|4096|307=
2|2048'; #[20];
> +	$cgiparams{'IKE_GROUPTYPE'}             =3D 'curve448|curve25519|4096|307=
2'; #[20];
> 	$cgiparams{'IKE_LIFETIME'}		=3D '3'; #[16];
> 	$cgiparams{'ESP_ENCRYPTION'}	=3D 'chacha20poly1305|aes256gcm128|aes256gcm9=
6|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128=
|aes128gcm96|aes128gcm64|aes128'; #[21];
> 	$cgiparams{'ESP_INTEGRITY'}		=3D 'sha2_512|sha2_256'; #[22];
> -	$cgiparams{'ESP_GROUPTYPE'}             =3D 'curve448|curve25519|4096|307=
2|2048'; #[23];
> +	$cgiparams{'ESP_GROUPTYPE'}             =3D 'curve448|curve25519|4096|307=
2'; #[23];
> 	$cgiparams{'ESP_KEYLIFE'}		=3D '1'; #[17];
> 	$cgiparams{'COMPRESSION'}		=3D 'off'; #[13];
> 	$cgiparams{'ONLY_PROPOSED'}		=3D 'on'; #[24];
> @@ -3146,8 +3146,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
> 					<option value=3D'6144' $checked{'IKE_GROUPTYPE'}{'6144'}>MODP-6144</op=
tion>
> 					<option value=3D'4096' $checked{'IKE_GROUPTYPE'}{'4096'}>MODP-4096</op=
tion>
> 					<option value=3D'3072' $checked{'IKE_GROUPTYPE'}{'3072'}>MODP-3072</op=
tion>
> -					<option value=3D'2048' $checked{'IKE_GROUPTYPE'}{'2048'}>MODP-2048</o=
ption>
> -					<option value=3D'1536' $checked{'IKE_GROUPTYPE'}{'1536'}>MODP-1536</o=
ption>
> +					<option value=3D'2048' $checked{'IKE_GROUPTYPE'}{'2048'}>MODP-2048 ($=
Lang::tr{'vpn weak'})</option>
> +					<option value=3D'1536' $checked{'IKE_GROUPTYPE'}{'1536'}>MODP-1536 ($=
Lang::tr{'vpn broken'})</option>
> 					<option value=3D'1024' $checked{'IKE_GROUPTYPE'}{'1024'}>MODP-1024 ($L=
ang::tr{'vpn broken'})</option>
> 					<option value=3D'768' $checked{'IKE_GROUPTYPE'}{'768'}>MODP-768 ($Lang=
::tr{'vpn broken'})</option>
> 				</select>
> @@ -3169,8 +3169,8 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
> 					<option value=3D'6144' $checked{'ESP_GROUPTYPE'}{'6144'}>MODP-6144</op=
tion>
> 					<option value=3D'4096' $checked{'ESP_GROUPTYPE'}{'4096'}>MODP-4096</op=
tion>
> 					<option value=3D'3072' $checked{'ESP_GROUPTYPE'}{'3072'}>MODP-3072</op=
tion>
> -					<option value=3D'2048' $checked{'ESP_GROUPTYPE'}{'2048'}>MODP-2048</o=
ption>
> -					<option value=3D'1536' $checked{'ESP_GROUPTYPE'}{'1536'}>MODP-1536</o=
ption>
> +					<option value=3D'2048' $checked{'ESP_GROUPTYPE'}{'2048'}>MODP-2048 ($=
Lang::tr{'vpn weak'})</option>
> +					<option value=3D'1536' $checked{'ESP_GROUPTYPE'}{'1536'}>MODP-1536 ($=
Lang::tr{'vpn broken'})</option>
> 					<option value=3D'1024' $checked{'ESP_GROUPTYPE'}{'1024'}>MODP-1024 ($L=
ang::tr{'vpn broken'})</option>
> 					<option value=3D'768' $checked{'ESP_GROUPTYPE'}{'768'}>MODP-768 ($Lang=
::tr{'vpn broken'})</option>
> 					<option value=3D'none' $checked{'ESP_GROUPTYPE'}{'none'}>- $Lang::tr{'=
none'} -</option>
> --=20
> 2.35.3


--===============4553856617961150711==--