IKEv2 (RFC-7296) states:
Nonces used in IKEv2 MUST be randomly chosen, MUST be at least 128 bits
in size, and MUST be at least half the key size of the negotiated
pseudorandom function (PRF).
For SHA2 versions of PRF, we need to look at RFC-4868:
http://tools.ietf.org/html/rfc4868#section-2.4
The PRF-HMAC-SHA-256 algorithm is identical to HMAC-SHA-256-128,
except that variable-length keys are permitted, and the truncation
step is NOT performed. Likewise, the implementations of PRF-HMAC-
SHA-384 and PRF-HMAC-SHA-512 are identical to those of HMAC-SHA-384-
192 and HMAC-SHA-512-256 respectively, except that again, variable-
length keys are permitted, and truncation is NOT performed.
So when using SHA2, what should the minimum nonce size be?
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
