I asked on the IETF NTP list.
[email protected] said: > On Sat, Jan 19, 2019 at 6:23 AM Hal Murray <[email protected]> wrote: >> Is that number so large for the algorithms we will use that we don't have to >> consider it? Assume the client is sending 1 packet per second... If the >> answer is over 100 years, I'm happy. > The recommendation for AES-SIV is to encrypt no more than 2**48 messages > under the same key. At one message per second that's almost 9 million years. > If you (unwisely) use AES-GCM instead, where the recommended limit is 2**32 > messages, that's still 136 years. ------ > Btw, a related concern is the reason why we chose AES-SIV as the MTI cipher. > A completely stateless server 1) has to resort to random nonces since it > can't keep track of sequence numbers; 2) can't rate-limit since it can't keep > track of packet counts. So an adversary can keep replaying the same packet > and cause it to emit responses at line rate. With AES-SIV, even so it will > still be a very long time before the server ever collides a nonce, and even > once it does the consequences are insignificant. -- These are my opinions. I hate spam. _______________________________________________ devel mailing list [email protected] http://lists.ntpsec.org/mailman/listinfo/devel
