Re: [IPsec] rfc 8750 question

Tue, 10 May 2022 05:42:44 -0700 


On 5/10/22 08:25, Paul Wouters wrote:

On May 10, 2022, at 07:59, Robert Moskowitz <rgm-...@htt-consult.com> 
wrote:




20    ENCR_AES_GCM_16


and what RFC 8750 defined:

30    ENCR_AES_GCM_16_IIV

The only difference is a suffix "_IIV".



Actually, I thought that was the implicit IV size.  And thus this was 
some kind of AND condition of the base cipher AND implicit IV.


It is.


I really want the AES_GCM_12 used along with diet-esp.  Those 4 bytes 
are important when you are dealing with an MTU of 64 bytes and only 
have a 26 byte UDP data packet.


From RFC 8247:

As the advantage of the shorter (and
    weaker) Integrity Check Values (ICVs) is minimal, the 8- and 12-octet
    ICVs remain at the MAY level.


This explanation was not repeated in RFC8221, but the reason is the 
same. These weren’t really used or supported and kind of unwanted. 
Basically the authors of GCM really didn’t want shorter than 16 ICV 
but were pushed to include it.



With diet-esp in transport mode for a single UDP app, I can have a 
2-byte SPI (server will have LOTS of clients).  I COULD get by with a 
1-byte SN, but that would only cover ~4 min of comm before advancing 
the implicit msb



So that is one packet per second. That’s a lot of traffic. Does the 
ICV size really matter at that point? Is it causing you to go from 1 
to 2 packets per second ?




FAA mandate that the Location/Vector information for the UA be updated 
at least once per second (similar in EU and Japan).  Then there are a 
few other messages, like if the Operator moves, DHS (proxying through 
FAA) wants to know where the Operator is. Operators tend not to move as 
much as UA, so no 1/sec mandate there.



Of course all this position data is suspect.  Altitude can be off 10M 
due to the ionosphere action, but FAA really does not care.  You do NOT 
want a replay of all those video meetings...




Paul


so better a 2-byte SN and that gives word alignment for the ESP 
header (not really soooo important). Those 4 bytes in the ICV hurt.  
And the data is only valid for 1sec for the app.



The lightweigt crypto (like Xoodyak) from the NIST LWC effort 
(workshop this week) looks more attractive, as I can easily only 
squeeze the 12 bytes out of the sponge for the tag...

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec






















					Reply via email to