On Wed, 28 May 2014, Mike C wrote:
I have a question regarding AES-GCM usage in IPsec, and the impact of the lack
of padding. In RFC 4106 section 3 it states that
"Implementations that do not seek to hide the length of the plaintext SHOULD
use the minimum amount of padding required, which
will be less than four octets.". RFC 3602 for AES-CBC usage does not make any
comment regarding hiding message length, presumably
because the authors are happy at the minimum 16-byte padding?
The RFC does not state if implementations should or should not seek to hide the
length of the plaintext. I'm curious as to the
approach taken by libreswan: Does it use padding > 4 octets, and if so/if not,
what's the rationale behind the decision?
We currently do not support AES_GCM for IKE, only for IPsec. So you
should be looking at the kernel code and kernel people to answer that
question for you.
We do plan to add AES_GCM support for IKE, most likely in libreswan
3.10. Then, your question can be answered by the NSS people.
The fact that the RFC does not state this as a requirement most likely
means that there was no clear consensus on whether it was a required
or useful feature or not - people didn't care enough and probably
thought it was an uninteresting edge case?
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
