In the security considerations section there is a text saying: > Additionally, since AES has a 128-bit block size, regardless of the > mode employed, the ciphertext generated by AES encryption becomes > distinguishable from random values after 2^64 blocks are encrypted > with a single key. Since IKEv2 is not likely to carry traffic in > such a high quantity compared with ESP, this won't be a big concern > here. However, when a large amount of traffic appears in the future > or under abnormal circumstances, implementations SHOULD generate a > fresh key before 2^64 blocks are encrypted with the same key.
The last SHOULD is not really needed as IKEv2 message ID is 32-bits, and the IKE SA MUST be closed (or rekeyed) before it wraps, thus at most one IKE SA can have 2^32 messages, each consisting of at max 2^16 bytes, thus maximum number of bytes that may be transmitted over IKEv2 SA is 2^48 bytes. As this 2^48 bytes is much smaller than 2^64 blocks, this paragraph is not an issue in IKEv2. I would change the paragraph to be: Additionally, since AES has a 128-bit block size, regardless of the mode employed, the ciphertext generated by AES encryption becomes distinguishable from random values after 2^64 blocks are encrypted with a single key. Since IKEv2 SA cannot carry that much of data, this issue is not a concern here. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
