On Thu, Feb 23, 2023 at 7:13 AM Steffen Klassert < steffen.klass...@secunet.com> wrote:
> On Tue, Feb 21, 2023 at 12:45:27PM -0500, Benjamin Schwartz wrote: > ... > > Reusing sequence numbers is extremely unsafe in ESP. Most notably, > AES-GCM > > fails entirely and **leaks the shared secret** if a nonce is ever reused > > [1]. > > That depends on how you create your Nonce. If you use the sequence numbers > as the IV, then yes. But you are free to implement any other method as > long as the IV (and with that the Nonce) does not repeat (RFC 4106). > > So in theory, you can do that with ESP too. > Thanks for pointing this out! I didn't realize that RFC 4106 added a separate IV field.
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
