On Tue, 28 Apr 2015, Yoav Nir wrote:
This is actually quite unfortunate text. Fields must be aligned to block size
only for CBC. Aligning AES-GCM to 16 bytes and ChaCha20-Poly1305 to 64 bytes
would be totally arbitrary, yet that is what the MUST requirement in the first
bullet seems to be saying. I don’t even know what “proper alignment” means for
a cipher such as this. If anything is proper alignment, then the value that
fulfills the SHOULD requirement is zero (with no padding bytes). For section 3,
I could add a text that echoes the second bullet:
The sender SHOULD include no padding and set the Pad Length field to zero.
The receiver MUST accept any length of padding.
Sounds good?
Not really?
Choices like that make me nervous that an attacker can tweak the padding
option. Who knows what oracle that can become in the future. There MUST
only be one way to do things. So I would rather see:
The sender MUST NOT include padding and set the Pad Length field to
zero. The receiver MUST reject a non-zero Pad Length field.
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
