Date: Tue, 2 Dec 2008 20:12:28 +0000 (UTC) From: naddy@mips.inka.de (Christian Weisgerber) To: freebsd-net@freebsd.org Subject: Re: [ipsec] aes-ctr question Message-ID: <gh44rc$11fc$1@lorvorc.mips.inka.de> References: <49349E26.30002@redhat.com>
next in thread | previous in thread | raw e-mail | index | archive | help
wang_jiabo <jiabwang@redhat.com> wrote: > following is my setkey configration. I can get SAD and SPD. but when I > run " ping6 -I rl0 3ffe:501:ffff:103:20a:ebff:fe85:9e56 " on FreeBSD > FreeBSD report: kernel: esp_aesctr_decrypt aes-ctr:payload length must > be multiple of 16 > kernel: decrypt fail in IPv6 ESP input : (I cannot comment on this problem. Looks like a padding bug.) > add 3ffe:501:ffff:103:20a:ebff:fe85:9e56 > 3ffe:501:ffff:104:21d:fff:fe19:59fc esp 0x1000 -m tunnel -E aes-ctr > "ipv6readylogoaes2to1" -A hmac-sha1 "ipv6readylogsha12to1"; Do not use AES-CTR with static keys! Re-use of keys with a stream cipher will allow listeners to recover the plaintext. (See section 7 of RFC 3686.) -- Christian "naddy" Weisgerber naddy@mips.inka.de
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?gh44rc$11fc$1>