On Fri, Jun 29, 2012 at 12:09 AM, Christian Weisgerber <[email protected]> wrote: > Is there a particular reason we only support AES-128-CTR ("AESCTR") > with isakmpd(8), but not the 192- and 256-bit variants like we do > for AES-CBC and AES-GCM? > > If not, and I assume it's just a historic oversight, how about this? > Adds AES-{128,192,256}-CTR to ipsecctl(8) and isakmpd(8). > > There is nothing to do for the kernel side and in fact you could > already set up manual SAs with "enc aesctr" and 192+32 and 256+32 > bit keys (but don't ever do that in earnest with counter mode > ciphers!). >
I see no reason not to implement that, especially given the fact that RFC 3686 specifies three key sizes. OK mikeb for the diff.
