neutron

Missing Diffie-Hellman-Groups

Bug #1938284 reported by Maxim Korezkij
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned
neutron
In Progress
Wishlist
Unassigned

Bug Description

The values for the pfs (perfect forward secrecy) when creating an ike or ipsec policy are limited to the Diffie-Hellman-Groups 2,5 and 14.

Strongswan as the default provider supports more than these 3 groups, e.g. group20(ecp384).

Tags: vpnaas
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-vpnaas (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-vpnaas/+/802714

Changed in neutron:
status: New → In Progress
Jakub Libosvar (libosvar)
Changed in neutron:
importance: Undecided → Medium
tags: added: vpnaas
Jakub Libosvar (libosvar)
Changed in neutron:
importance: Medium → Wishlist
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-vpnaas (master)

Change abandoned by "Maxim Korezkij <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron-vpnaas/+/802714
Reason: Abandon because no time. Feel free to reopen.

Revision history for this message
Enrico Kern (flyersa) wrote :

Can we finally implement this patch? Those groups are outdated since years. Clients request to support higher DH groups. Patch is also there, why not implement it?

Enrico Kern (flyersa)
information type: Public → Public Security
Revision history for this message
Jeremy Stanley (fungi) wrote :

Note that you've changed the information type of this bug to Public Security, indicating it represents a possible security vulnerability. Since the OpenStack Vulnerability Management Team (VMT) does not officially oversee[*] the neutron-vpnaas deliverable, I'm adding a security advisory task with a Won't Fix status to indicate we're not tracking this for any future advisory publication.

[*] https://security.openstack.org/repos-overseen.html

Changed in ossa:
status: New → Won't Fix
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-lib (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-lib/+/898828

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-vpnaas (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-vpnaas/+/898830

Revision history for this message
Bodo Petermann (bpetermann) wrote :

The patches above add not only the DH groups 15 to 31 but also more choices for encryption algorithm (to support AES CCM and AES GCM modes) and auth algorithms (to support aes-xcbc and aes-cmac).

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-lib (master)

Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/898828
Committed: https://opendev.org/openstack/neutron-lib/commit/b7598dab47d3648bf1bb28eae8c8ed8006097f5a
Submitter: "Zuul (22348)"
Branch: master

commit b7598dab47d3648bf1bb28eae8c8ed8006097f5a
Author: Bodo Petermann <email address hidden>
Date: Wed Oct 18 13:50:58 2023 +0200

    vpnaas: add support for more ciphers (auth, encryption, pfs modes)

    Encryption algorithms: add AES CCM mode and AES GCM mode variants
    for 128/192/256 bit keys and 8/12/16 octet ICVs.
    Auth algorithms: add aes-xcbc and aes-cmac.
    PFS: add Diffie Hellman groups 15 to 31.

    Related-Bug: #1938284
    Change-Id: Iba86fe9a1bbf88223b57a45fb89349c6b1858015

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-lib (stable/2023.1)

Related fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/neutron-lib/+/903551

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-lib (stable/2023.2)

Related fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/neutron-lib/+/903552

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-lib (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-lib/+/903971

Revision history for this message
Bodo Petermann (bpetermann) wrote :

The neutron-lib part for the API definition for most added choices has been merged already. But the neutron-vpnaas change that implements them has not. I also noticed that the neutron-lib part missed the definition for AES CTR mode, so there's a new commit to add that too.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-lib (stable/2023.2)

Change abandoned by "Rodolfo Alonso <email address hidden>" on branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/neutron-lib/+/903552
Reason: As commented in https://review.opendev.org/c/openstack/neutron-lib/+/903552/comment/a4b99a01_466b834a/, an API change cannot be backported

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-lib (stable/2023.1)

Change abandoned by "Rodolfo Alonso <email address hidden>" on branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/neutron-lib/+/903551
Reason: As commented in https://review.opendev.org/c/openstack/neutron-lib/+/903551/comments/5c42cb15_a3ec30b5, an API change cannot be backported.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.