RFC 4106 says:
The AES-GCM-ESP IV field MUST be eight octets.
NIST publication 800-38D says:
For IVs, it is recommended that implementations restrict support to
the length of 96 bits, to promote interoperability, efficiency, and
simplicity of design.
There are no errata for RFC 4106, so I assume that ESP with
ENCR-AES_GCM_nn uses an 8-byte IV. Unfortunately, this goes against the
NIST recommendation and also prevents the use of the RBG-based IV
construction method outlined in the NIST document (which requires a
minimum IV length of 96 bits).
Does anyone have any observations or comments on this? Is it correct that
existing ESP AES_GCM implementations are using 128-bit IVs?
Thanks,
Scott Moonen ([email protected])
z/OS Communications Server TCP/IP Development
http://scott.andstuff.org/
http://www.linkedin.com/in/smoonen
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
