From owner-freebsd-net@FreeBSD.ORG  Tue Dec  2 20:44:45 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6F162106564A
	for <freebsd-net@freebsd.org>; Tue,  2 Dec 2008 20:44:45 +0000 (UTC)
	(envelope-from mailnull@mips.inka.de)
Received: from mail-in-09.arcor-online.net (mail-in-09.arcor-online.net
	[151.189.21.49])
	by mx1.freebsd.org (Postfix) with ESMTP id 269238FC1D
	for <freebsd-net@freebsd.org>; Tue,  2 Dec 2008 20:44:45 +0000 (UTC)
	(envelope-from mailnull@mips.inka.de)
Received: from mail-in-04-z2.arcor-online.net (mail-in-04-z2.arcor-online.net
	[151.189.8.16])
	by mail-in-09.arcor-online.net (Postfix) with ESMTP id 47DA73027F8
	for <freebsd-net@freebsd.org>; Tue,  2 Dec 2008 21:12:29 +0100 (CET)
Received: from mail-in-16.arcor-online.net (mail-in-16.arcor-online.net
	[151.189.21.56])
	by mail-in-04-z2.arcor-online.net (Postfix) with ESMTP id 3B2BCAC1DE
	for <freebsd-net@freebsd.org>; Tue,  2 Dec 2008 21:12:29 +0100 (CET)
Received: from lorvorc.mips.inka.de (dslb-092-075-206-164.pools.arcor-ip.net
	[92.75.206.164])
	by mail-in-16.arcor-online.net (Postfix) with ESMTP id 1FCCE236E48
	for <freebsd-net@freebsd.org>; Tue,  2 Dec 2008 21:12:29 +0100 (CET)
Received: from lorvorc.mips.inka.de (localhost [127.0.0.1])
	by lorvorc.mips.inka.de (8.14.3/8.14.3) with ESMTP id mB2KCSUO034294
	for <freebsd-net@freebsd.org>; Tue, 2 Dec 2008 21:12:28 +0100 (CET)
	(envelope-from mailnull@lorvorc.mips.inka.de)
Received: (from mailnull@localhost)
	by lorvorc.mips.inka.de (8.14.3/8.14.3/Submit) id mB2KCSBt034293
	for freebsd-net@freebsd.org; Tue, 2 Dec 2008 21:12:28 +0100 (CET)
	(envelope-from mailnull)
From: naddy@mips.inka.de (Christian Weisgerber)
Date: Tue, 2 Dec 2008 20:12:28 +0000 (UTC)
Message-ID: <gh44rc$11fc$1@lorvorc.mips.inka.de>
References: <49349E26.30002@redhat.com>
Originator: naddy@mips.inka.de (Christian Weisgerber)
To: freebsd-net@freebsd.org
X-Virus-Scanned: ClamAV 0.94.1/8712/Tue Dec 2 18:14:43 2008 on
	mail-in-16.arcor-online.net
X-Virus-Status: Clean
Subject: Re: [ipsec] aes-ctr question
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2008 20:44:45 -0000

wang_jiabo <jiabwang@redhat.com> wrote:

> following is my setkey configration. I can get SAD and SPD. but when I 
> run " ping6 -I rl0 3ffe:501:ffff:103:20a:ebff:fe85:9e56 " on FreeBSD
> FreeBSD report:  kernel: esp_aesctr_decrypt aes-ctr:payload length must 
> be multiple of 16
>                            kernel: decrypt fail in IPv6 ESP input : 

(I cannot comment on this problem.  Looks like a padding bug.)

> add 3ffe:501:ffff:103:20a:ebff:fe85:9e56 
> 3ffe:501:ffff:104:21d:fff:fe19:59fc  esp 0x1000 -m tunnel -E aes-ctr 
> "ipv6readylogoaes2to1" -A hmac-sha1 "ipv6readylogsha12to1";

Do not use AES-CTR with static keys!  Re-use of keys with a stream
cipher will allow listeners to recover the plaintext.
(See section 7 of RFC 3686.)

-- 
Christian "naddy" Weisgerber                          naddy@mips.inka.de