[ipsec] aes-ctr question
wang_jiabo
jiabwang at redhat.com
Tue Dec 2 17:00:13 PST 2008
Christian Weisgerber wrote:
> wang_jiabo <jiabwang at redhat.com> wrote:
>
>
>> following is my setkey configration. I can get SAD and SPD. but when I
>> run " ping6 -I rl0 3ffe:501:ffff:103:20a:ebff:fe85:9e56 " on FreeBSD
>> FreeBSD report: kernel: esp_aesctr_decrypt aes-ctr:payload length must
>> be multiple of 16
>> kernel: decrypt fail in IPv6 ESP input :
>>
>
> (I cannot comment on this problem. Looks like a padding bug.)
>
>
>> add 3ffe:501:ffff:103:20a:ebff:fe85:9e56
>> 3ffe:501:ffff:104:21d:fff:fe19:59fc esp 0x1000 -m tunnel -E aes-ctr
>> "ipv6readylogoaes2to1" -A hmac-sha1 "ipv6readylogsha12to1";
>>
>
> Do not use AES-CTR with static keys! Re-use of keys with a stream
> cipher will allow listeners to recover the plaintext.
> (See section 7 of RFC 3686.)
>
>
but when I use "
ping6 -I rl0 -s 11(or 12,13,14) 3ffe:501:ffff:103:20a:ebff:fe85:9e56"
it is no problem
More information about the freebsd-net
mailing list