From 13720e0dedcab1eaf3334a73a42b68581acd9f3b Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 7 Jan 2022 18:36:47 -0500 Subject: [PATCH] ikev1-policy defaults to drop IKEv2 has been available for 16 years (RFC 4306 was published December 2005). At some point, we should be discouraging IKEv1 adoption. To the extent that a user needs IKEv1, they can manually add ikev1-policy=accept to /etc/ipsec.conf. --- configs/d.ipsec.conf/ikev1-policy.xml | 7 ++++--- include/ipsecconf/keywords.h | 2 +- lib/libipsecconf/confread.c | 1 + programs/pluto/server.c | 5 ----- 4 files changed, 6 insertions(+), 9 deletions(-) diff --git a/configs/d.ipsec.conf/ikev1-policy.xml b/configs/d.ipsec.conf/ikev1-policy.xml index 17d1747e3b..3bd6702564 100644 --- a/configs/d.ipsec.conf/ikev1-policy.xml +++ b/configs/d.ipsec.conf/ikev1-policy.xml @@ -3,9 +3,10 @@ What to do with received IKEv1 packets. Valid options are -accept (default), reject which -will reply with an error, and drop which will silently drop -any received IKEv1 packet. If this option is set to drop or reject, an attempt to load an +drop (default) which will silently drop +any received IKEv1 packet, accept, and +reject which will reply with an error. +If this option is set to drop or reject, an attempt to load an IKEv1 connection will fail, as these connections would never be able to receive a packet for processing. diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h index 660847733c..31b519242a 100644 --- a/include/ipsecconf/keywords.h +++ b/include/ipsecconf/keywords.h @@ -111,7 +111,7 @@ enum keyword_numeric_config_field { KBF_LISTEN_TCP, /* listen on TCP port 4500 - default no */ KBF_LISTEN_UDP, /* listen on UDP port 500/4500 - default yes */ - KBF_GLOBAL_IKEv1, /* global ikev1 policy - default accept */ + KBF_GLOBAL_IKEv1, /* global ikev1 policy - default drop */ KBF_ROOF }; diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c index 5b5aba723f..68fbccf442 100644 --- a/lib/libipsecconf/confread.c +++ b/lib/libipsecconf/confread.c @@ -95,6 +95,7 @@ static void ipsecconf_default_values(struct starter_config *cfg) /* Don't inflict BSI requirements on everyone */ SOPT(KBF_SEEDBITS, 0); SOPT(KBF_DROP_OPPO_NULL, false); + SOPT(KBF_GLOBAL_IKEv1, GLOBAL_IKEv1_DROP); #ifdef HAVE_LABELED_IPSEC SOPT(KBF_SECCTX, SECCTX); -- 2.34.1