On Wed, Apr 6, 2022 at 5:01 AM Lars Eggert <[email protected]> wrote: > Hi, > > On 2022-4-6, at 5:05, Daniel Migault <[email protected]> wrote: > > Section 2. , paragraph 6, comment: > > > [RFC4303] does not require the SPI to be randomly generated over 32 > > > bits. However, this is the recommended way to generate SPIs as it > > > provides some privacy benefits and avoids, for example, correlation > > > between ESP communications. To randomly generate a 32 bit SPI, the > > > node generates a random 32 bit valueand checks it does not fall in > > > the 0-255 range. If the SPI has an acceptable value, it is used to > > > index the inbound session, otherwise the SPI is re-generated until > an > > > acceptable value is found. > > > > Wouldn't it be simpler to compute a 24-bit random value and left-shift > it by > > eight? Or left-shift the 32-bit value; both remove the need to check. > > > > I think the situation we want to avoid is to have the 24 right most bits > to be set to zero. With a random 32 bit value, the probability to have are > rejected value is 2**8 / 2**32. If you take a 24 bit value that you > left-shift by eight that probability becomes 2**8/2**24. If you take a 32 > bit value you left shift by eight that probability becomes 2**16/2**32. > Unless I am missing something, we cannot avoid the check. > > nowhere in the text does it say that avoiding that the 24 rightmost bits > be zero is a goal? (And don't you mean leftmost?) It talks about avoiding > values between 0-255, which you could do by shifting a value >0 or by > clearing the bottom eight bits (for a value >255). > > Of course I went in the wrong direction ;-), but I am still unsure I am capturing/understanding your comment. I apologize in advance but let me try to set my thoughts.
The current text does not detail how to implement and ensure the SPI does not match the value 0-255. But I assumed one generates a 32 bit and checks if the 24 leftmost are not set 0. If these are set to 0 the SPI is rejected. This ends in some SPI being rejected occasionally and I understand your proposal is to generate a SPI without any need to check which avoids rejected SPIs. You propose to generate a 24 bit random, check it is not zero and left shift. If I understand correctly, the right most byte will be 0. The same can be done with 32 bits, though the check needs to be performed over the right most 24 bits. In fact, the 32 bit could be non zero because of the leftmost byte, and this byte will be removed after the left shift. I do not see how a check can be avoided, and it seems to me the same check is performed in all cases. My understanding of the mechanism you propose is that it clears the right most byte which I see as different from what we are trying to achieve and also reduces the SPI space. If we wanted to avoid the check, maybe we could set the left most byte to a non zero value to which a 24 bit random is appended. > Thanks, > Lars > > -- Daniel Migault Ericsson
_______________________________________________ Lwip mailing list [email protected] https://www.ietf.org/mailman/listinfo/lwip
