Hi This following text in Section 5.4.3 RFC 9001 have several problems and needs an errata:
" This algorithm samples 16 bytes from the packet ciphertext. This value is used as the counter input to AES-ECB. In pseudocode: mask = AES-ECB(pn_key, sample)" 1. ECB does not take a counter as an input, CTR does. 2. It does not specify if it is the ECB encryption or decryption function. I assume it is the encryption function. But this is not obvious to the reader as sample is ciphertext. 3. The ECB notation is confusing in itself, this is just the AES encryption funtion without any mode of operation. Kind of bad that QUIC is making it look like ECB mode is acceptable. It is not. It is only acceptable when the plaintext is exactly 16 bytes, and then it is not really ECB anymore. I think this needs an errata, but I wanted to send it to the list first. Two suggestions. A. " This algorithm samples 16 bytes from the packet ciphertext. This value is used as the plaintext input to the AES encryption funtion. In pseudocode: mask = AES-ENC(pn_key, sample)" B. " This algorithm samples 16 bytes from the packet ciphertext. This value is used as the plaintext input to the AES-ECB encryption funtion. In pseudocode: mask = AES-ECB(pn_key, sample)" I would prefer A. Cheers John
