From owner-freebsd-net@FreeBSD.ORG  Wed Dec  3 01:00:13 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2063F1065670
	for <freebsd-net@freebsd.org>; Wed,  3 Dec 2008 01:00:13 +0000 (UTC)
	(envelope-from jiabwang@redhat.com)
Received: from mx2.redhat.com (mx2.redhat.com [66.187.237.31])
	by mx1.freebsd.org (Postfix) with ESMTP id 4D6C88FC12
	for <freebsd-net@freebsd.org>; Wed,  3 Dec 2008 01:00:11 +0000 (UTC)
	(envelope-from jiabwang@redhat.com)
Received: from int-mx2.corp.redhat.com (int-mx2.corp.redhat.com [172.16.27.26])
	by mx2.redhat.com (8.13.8/8.13.8) with ESMTP id mB3108ZJ015674;
	Tue, 2 Dec 2008 20:00:09 -0500
Received: from ns3.rdu.redhat.com (ns3.rdu.redhat.com [10.11.255.199])
	by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id mB3106Oc022349;
	Tue, 2 Dec 2008 20:00:07 -0500
Received: from [10.66.65.20] (dhcp-65-20.nay.redhat.com [10.66.65.20])
	by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id mB31041M008535;
	Tue, 2 Dec 2008 20:00:05 -0500
Message-ID: <4935DA42.2010804@redhat.com>
Date: Wed, 03 Dec 2008 09:00:50 +0800
From: wang_jiabo <jiabwang@redhat.com>
User-Agent: Thunderbird 2.0.0.14 (X11/20080515)
MIME-Version: 1.0
To: Christian Weisgerber <naddy@mips.inka.de>
References: <49349E26.30002@redhat.com> <gh44rc$11fc$1@lorvorc.mips.inka.de>
In-Reply-To: <gh44rc$11fc$1@lorvorc.mips.inka.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.58 on 172.16.27.26
Cc: freebsd-net@freebsd.org
Subject: Re: [ipsec] aes-ctr question
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Dec 2008 01:00:13 -0000

Christian Weisgerber wrote:
> wang_jiabo <jiabwang@redhat.com> wrote:
>
>   
>> following is my setkey configration. I can get SAD and SPD. but when I 
>> run " ping6 -I rl0 3ffe:501:ffff:103:20a:ebff:fe85:9e56 " on FreeBSD
>> FreeBSD report:  kernel: esp_aesctr_decrypt aes-ctr:payload length must 
>> be multiple of 16
>>                            kernel: decrypt fail in IPv6 ESP input : 
>>     
>
> (I cannot comment on this problem.  Looks like a padding bug.)
>
>   
>> add 3ffe:501:ffff:103:20a:ebff:fe85:9e56 
>> 3ffe:501:ffff:104:21d:fff:fe19:59fc  esp 0x1000 -m tunnel -E aes-ctr 
>> "ipv6readylogoaes2to1" -A hmac-sha1 "ipv6readylogsha12to1";
>>     
>
> Do not use AES-CTR with static keys!  Re-use of keys with a stream
> cipher will allow listeners to recover the plaintext.
> (See section 7 of RFC 3686.)
>
>   
but when I use "

ping6 -I rl0 -s 11(or 12,13,14) 3ffe:501:ffff:103:20a:ebff:fe85:9e56"
 it is no problem