0

I can't find much information on PFS (Perfect Forward Secrecy) Groups so I'm unsure what to suggest for a secure IPSec configuration.

Any suggestions on PFS groups that aren't recommended?

What is the implication for using better PFS groups?

ecdsa
  • 1,354
  • 7
  • 10
ellefc
  • 499
  • 2
  • 6
  • 14
  • In answer to the title question, the UK's NCSC says ideally "256bit random ECP (RFC5903) Group 19" or, failing that, "Group 14 (2048-bit MODP Group) (RFC3526)" (https://www.ncsc.gov.uk/guidance/using-ipsec-protect-data). – mythofechelon Nov 09 '18 at 16:17

1 Answers1

1

What you refer to as "PFS Groups" are more precisely Diffie-Hellman groups. The Internet Key Exchange (IKE) protocol uses Diffie-Hellman to derive key material for both the IKE and IPsec security associations (SA). With IKEv2, the keys for the first IPsec (or Child) SA are derived from the IKE key material (there is no DH exchange during the IKE_AUTH exchange that follows the initial IKE_SA_INIT exchange). A separate DH exchange may optionally be used with CREATE_CHILD_SA exchanges for Child SAs created later or their rekeyings. Only to rekey the IKE SA itself is a DH exchange mandatory (so even if no separate DH exchange is used for each Child SA, will their key material be derived from new DH secrets once the IKE SA has been rekeyed).

The currently defined DH groups for IKEv2 are listed in Transform Type 4 - Diffie-Hellman Group Transform IDs. In 2017, RFC 8247 was released with recommendations regarding algorithms for IKEv2, including Diffie-Hellman groups in section 2.4. According to it, the groups to avoid are

  • the MODP groups below 2048-bit (groups 1, 2 and 5), because even group 5 (1536-bit) is assumed to be breakable by nation-state-level attackers in the near future,
  • and those MODP groups with prime order subgroups (22, 23 and 24), as group 22 was already shown to be weak (breakable by academia).

So for MODP at least 2048 bit and for ECP at least 256 bit should be used. For a general assessment of the cryptographic strength of the groups keylength.com might be useful.

What is the implication for using better PFS groups?

Two issues may arise:

  1. The larger the group, the more computationally expensive the key derivation (this is mostly a concern with MODP groups), so as a gateway operator this might be a problem if there are lots of clients creating SAs concurrently (hardware acceleration can help).
  2. Large MODP groups can potentially cause IP fragmentation because the IKE_SA_INIT messages, which transport the public DH values, exceed the MTU (in particular for clients that also send a lot of certificate request payloads). This is a problem if such fragments are dropped by intermediate firewalls/routers. IKEv2 fragmentation (RFC 7383) doesn't help here as it exclusively operates on encrypted messages (i.e. starting with IKE_AUTH).
Community
  • 1
ecdsa
  • 1,354
  • 7
  • 10