[ipsec] aes-ctr question
Christian Weisgerber
naddy at mips.inka.de
Tue Dec 2 12:44:45 PST 2008
wang_jiabo <jiabwang at redhat.com> wrote:
> following is my setkey configration. I can get SAD and SPD. but when I
> run " ping6 -I rl0 3ffe:501:ffff:103:20a:ebff:fe85:9e56 " on FreeBSD
> FreeBSD report: kernel: esp_aesctr_decrypt aes-ctr:payload length must
> be multiple of 16
> kernel: decrypt fail in IPv6 ESP input :
(I cannot comment on this problem. Looks like a padding bug.)
> add 3ffe:501:ffff:103:20a:ebff:fe85:9e56
> 3ffe:501:ffff:104:21d:fff:fe19:59fc esp 0x1000 -m tunnel -E aes-ctr
> "ipv6readylogoaes2to1" -A hmac-sha1 "ipv6readylogsha12to1";
Do not use AES-CTR with static keys! Re-use of keys with a stream
cipher will allow listeners to recover the plaintext.
(See section 7 of RFC 3686.)
--
Christian "naddy" Weisgerber naddy at mips.inka.de
More information about the freebsd-net
mailing list