On May 10, 2022, at 07:59, Robert Moskowitz <rgm-...@htt-consult.com> wrote: > > > >> 20 ENCR_AES_GCM_16 >> >> and what RFC 8750 defined: >> >> 30 ENCR_AES_GCM_16_IIV >> >> The only difference is a suffix "_IIV". > > Actually, I thought that was the implicit IV size. And thus this was some > kind of AND condition of the base cipher AND implicit IV.
It is. > I really want the AES_GCM_12 used along with diet-esp. Those 4 bytes are > important when you are dealing with an MTU of 64 bytes and only have a 26 > byte UDP data packet. From RFC 8247: As the advantage of the shorter (and weaker) Integrity Check Values (ICVs) is minimal, the 8- and 12-octet ICVs remain at the MAY level. This explanation was not repeated in RFC8221, but the reason is the same. These weren’t really used or supported and kind of unwanted. Basically the authors of GCM really didn’t want shorter than 16 ICV but were pushed to include it. > With diet-esp in transport mode for a single UDP app, I can have a 2-byte SPI > (server will have LOTS of clients). I COULD get by with a 1-byte SN, but > that would only cover ~4 min of comm before advancing the implicit msb So that is one packet per second. That’s a lot of traffic. Does the ICV size really matter at that point? Is it causing you to go from 1 to 2 packets per second ? Paul > so better a 2-byte SN and that gives word alignment for the ESP header (not > really soooo important). Those 4 bytes in the ICV hurt. And the data is only > valid for 1sec for the app. > > The lightweigt crypto (like Xoodyak) from the NIST LWC effort (workshop this > week) looks more attractive, as I can easily only squeeze the 12 bytes out of > the sponge for the tag...
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
