With AES-GCM, AES-CCM, ChaCha20-Poly1305 you don’t need a PRNG at all. With AES-CBC you need an unpredictable IV, but you could generate them by encrypting a counter with one AES key (that could be provided by the controller)
But you still need the TLS session. > On 18 Jul 2017, at 17:34, Yaron Sheffer <yaronf.i...@gmail.com> wrote: > > On 18/07/17 17:14, Yoav Nir wrote: >> I mostly agree, but one point… >> >>> On 18 Jul 2017, at 17:06, Tero Kivinen <kivi...@iki.fi> wrote: >> <snip/> >> >>> This I think is important question, i.e., what is the gain for not >>> running IKEv2 between the nodes? >>> >> Simpler gateway, less code, no PK operations, no need for random number >> generator. >> >> The counter-argument is that without all these you can’t setup a TLS session >> to run netconf over. >> >> Yoav >> > No random number generator? I don't think this is true even for a pure ESP > endpoint. > > Thanks, > Yaron
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
