On Tue, Feb 21, 2023 at 12:45:27PM -0500, Benjamin Schwartz wrote: > On Mon, Feb 20, 2023 at 4:58 PM Michael Richardson <m...@sandelman.ca> wrote: > > > Tero Kivinen <kivi...@iki.fi> wrote: > > > I mean what should other end do if the other end says he will not > > > do anti-replay checks? > > > > Not send unique relay values in the ESP. > > > > Yes but mostly for AH. My goal is related to draft-xu-risav, which would > benefit from the ability to repeat sequence numbers in AH when replay > protection is not required. > > Reusing sequence numbers is extremely unsafe in ESP. Most notably, AES-GCM > fails entirely and **leaks the shared secret** if a nonce is ever reused > [1].
That depends on how you create your Nonce. If you use the sequence numbers as the IV, then yes. But you are free to implement any other method as long as the IV (and with that the Nonce) does not repeat (RFC 4106). So in theory, you can do that with ESP too. Steffen _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
