On Fri, 28 Oct 2022, Guillaume Solignac (gsoligna) wrote:
Is this requirement only based on not reusing the same IV on different cores or
is there an additional factor I missed?
For AES-GCM there is a 2^32 max operations per private key as well.
Are you referring to NIST SP 800-38D ยง 8.3 ? This is the closest I could find
to this restriction. But the 2^32 invocation limitation does not seem to apply
when the IV is 96 bits long and deterministic (which is the case in AES-GCM ESP
RFC4106).
Yes that is what I was referring to.
I see in https://www.rfc-editor.org/rfc/rfc4106
3.1. Initialization Vector (IV)
The AES-GCM-ESP IV field MUST be eight octets.
Now the nonce is a 4 octet salt plus the IV, which would make 96 bits.
But as always, I am uncertain of the terminology as RFCs and NIST
use different terms for IV, ICV, salt, nonce etc.
Maybe someone from NIST can help us here, as I am very interested in
this answer. Added Quynh to the CC: in the hope that he knows :)
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
