Feature request - Diffie Hellman groups 19-21

BertV · May 9, 2017, 1:20pm

Hello,

Are there any plans to support Diffie Hellman Groups 19 to 21 (ecp256, ecp384, ecp521)?

There is support for DH15-18, which - according to Cisco - offer acceptable and good security. (Source: http://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html)
I understand however that DH15-18 requires more processing power than DH19-21.
Perhaps on the mikrotik, this doesn’t pose such an issue, since it’s dedicated for this purpose, but on other devices, this could be an issue.
Therefore I believe it would be nice to have support for DH19-21.

Windows does not support DH15-18, but supports DH19-20 (ref https://technet.microsoft.com/en-us/library/dn262642(v=wps.630).aspx).

FYI: those that are interested, can found a nice overview of different Cipher Suites at https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites

Kind regards,
Bert

space007 · May 10, 2017, 1:50pm

Hi BertV,

The processing power and implementation of handling the encryption (single core) is here a real problem.
Not to troll but, I hope not to add new crypto features without resolving the core issues with the usage of the existing ones.

One can have 12+ cores, but if for a single tunnel and everything in it, is used just 1 core and the hw encryption accel performance is just little bit over the software emulated one, there is no real practical case use scenario which is can uphold the purchased cost of the hardware and the lack of performance .

For the problem with the IPSEC throughput, was suggested the use of “multiple streams” to push the multi core usage, but even with a separate 4 IPSEC with EoIP for each of them, the bandwidth is miserable (CCR1009 6.40rc4) this dream was not yet possible.
.
Just look at http://forum.mikrotik.com/t/v6-40-rc4-gre-ipsec-smb/108433/1 or other countless open treads from 4 years ago.

Kind regards.

BertV · May 11, 2017, 2:12pm

Although I’m not a cryptographic specialist (nor a programmer), I understand that Elliptic Curve Cryptography should be more efficient. (source: http://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html#9). The implementation of DH19-21 (which use ECC) could possibly improve throughput, while lower the resource usage at the same time.

(Almost) all commercial firewall vendors support DH14, some have support for DH15, almost none support DH16-18, and the decent ones have support for DH19-21.
I guess they’re also strungling with performance issues, and therefore have skipped DH16-18.

petern · December 13, 2017, 4:04pm

I have a VPN requirement that specifies that DH19 must be used. Are these ECC modes ever likely to available? Performance is not overly a concern as the data to be transmitted is only small.

g22113 · December 15, 2017, 1:32pm

They are already available in 6.41rc.

ECC modes are usually faster than traditional DH. But either way, DH is only used for handshake (key exchange), not for actual data transfer.

BertV · December 22, 2017, 7:31pm

They are now officially supported! Kudos to the devs!

What’s new in 6.41 (2017-Dec-22 11:55):
*) ipsec - added DH groups 19, 20 and 21 support for phase1 and phase2;

petern · January 19, 2018, 4:58pm

Great news!

Thanks.