From: Dan McDonald <danmcd@su...> - 2008-01-10 21:30:48
We figured out the bug (our bug) and have interoperated successfully with
ipsec-tools using SHA-256 for IKE Phase I. We will sort out -384 and -512
soon enough, but those shouldn't be a problem either.
One thing we did notice, and this isn't *directly* relevant, but we noticed
the Linux kernel we were using -- 2.6.20-16-generic, which is a one-level
downrevved Ubuntu (but with patches) -- doesn't truncate the SHA-256,384,512
RFC 4868 is relatively new, so I suspect it's just a matter of catching up,
but it's supposed to be:
Algorithm ICV size for AH/ESP
SHA-256 128 bits
SHA-384 192 bits
SHA-512 256 bits
and our interop (and the man pages for setkey) show that the Linux kernel in
question uses 96-bit for all of the SHA-2 algorithms.
Is there a way to quickly reconfigure Linux to do the right thing
(ala. ipsecalgs(1M) on OpenSolaris)? Or do we have to dig into source
that'll taint us? If the latter, can someone prod a Linux kernel person to
get up to date with RFC 4868?
Get latest updates about Open Source Projects, Conferences and News.