tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: why is SA lifetime kilobyte limit disabled in racoon? said:
> While I don't know the precise reason, I will note that byte count
> expiration is much less of an issue with AES than with DES or 3DES.
> The problem with DES and 3DES is that they use 64-bit blocks, which
> means that you start running into birthday paradox problems after 2^32
> blocks, i.e., 2^35 bytes.  On modern, high-speed nets, that isn't at
> all out of the question.  AES, by contrast, uses 128-bit blocks, which
> raises the threshold to 2^68 bytes, which is about 7000 years at
> 10GigE speeds...

It seems to me that there is also a need for an expiration by
packet count, if IV uniqueness is important.
AES-CTR eg has an IV space of 64 bits. With randomly generated
IVs (as the KAME and FAST_IPSEC code does on all BSDs AFAICS)
the same birthday paradox argument holds -- after 2^32 packets
even if the blocksize is 128 bits.
Or - being clueless about cryptography - am I missing something?

Since a packet count limit is not negotiated through IKE AFAIK,
this is a local decision, and one can't assume that both ends
of the line use the same limit.
This also would require that both sides are able to initiate
rekeying at any time.

(And/or another IV generation method could be used here, 64-bit LFSR
or so. I'll leave that to the experts.)

best regards

Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt

Besuchen Sie uns auf unserem neuen Webauftritt unter

Home | Main Index | Thread Index | Old Index