Tobias Heider: > currently iked(8) supports AES-GCM only for ESP. > The diff below adds the ENCR_AES_GCM_16 and ENCR_AES_GCM_12 variants for IKE. > (for more information see [1] and [2]). > Both variants support the 128, 196, and 256 bit key lengths. > > The new new ciphers can be configured with: > - aes-128-gcm, aes-196-gcm and aes-256-gcm for ENCR_AES_GCM_16 > - aes-128-gcm-12, aes-196-gcm-12 and aes-256-gcm-12 for ENCR_AES_GCM_12
Is there a compelling reason to implement the GCM_12 variants? I remember that truncating integrity tags is problematic for GCM. That probably doesn't matter for small IKE exchanges, but then again four extra bytes per packet don't matter either. According to RFC5282, full length tags MUST be supported anyway, truncated ones are optional. RFC5282 also says that AES-192 is NOT RECOMMENDED. So I think only aes-128-gcm and aes-256-gcm should be added. While adding the other variants is simple, there is no value in supporting them; they just add more configuration buttons. -- Christian "naddy" Weisgerber na...@mips.inka.de
