1.102.1. RHEA-2010:0444: enhancement update
Updated openswan packages that implement Diffie-Hellman groups 22, 23 and 24 from RFC 5114 are now available.
Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE) for Linux. IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the IPsec gateway machine and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network, or VPN.
These packages contain the daemons and userland tools for setting up openswan. They support the NETKEY/XFRM IPsec stack in the default Linux kernel. The openswan 2.6.x-series also supports IKEv2 as described in RFC 4309.
This update adds the following enhancement:
* RFC 5114, Additional Diffie-Hellman Groups for Use with IETF Standards, adds eight Diffie-Hellman groups (three prime modulus groups and five elliptic curve groups) to the extant 21 groups set out in previous RFCs (eg RFCs 2409, 3526 and 4492) for use with IKE, TLS, SSH and so on.
This update implements groups 22, 23 and 24: a 1024-bit MODular exPonential (MODP) Group with 160-bit Prime Order Subgroup; a 2048-bit MODP Group with 224-bit Prime Order Subgroup; and a 2048-bit MODP Group with 256-bit Prime Order Subgroup respectively. ( BZ#591104)
Note: implementation of group 24 (a 2048-bit MODP Group with 256-bit Prime Order Subgroup) is required for US National Institute of Standards and Technology (NIST) IPv6 compliance and ongoing FIPS-140 certification.
All openswan users should install these updated packages, which add this enhancement.