Hi,
The document takes care to not define Implicit IV for AES-CBC, and I
believe the underlying reason is malleability of the encryption. The
same would apply to AES-CTR. So I would suggest to:
* Exclude AES-CTR from this draft, or...
* Better yet, restrict the draft to AEAD algorithms.
BTW, the reference for AES-GCM is incorrect. Should be 4106.
Speaking of which, AES-GCM in ESP has a "salt" derived from IKE key
material. Is that kept intact by the current proposal?
Thanks,
Yaron
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
