Re: iked(8) and GCM

2013-05-22 Thread Mike Belopuhov
On 22 May 2013 19:57, Aaron Stellman wrote: > On Mon, May 20, 2013 at 08:24:06PM +0100, Stuart Henderson wrote: >> If you make it a couple of paragraphs past the table, there is this >> paragraph, which is rather clear: >> >> Using AES-GMAC or NULL with ESP will only provide authentication.

Re: iked(8) and GCM

2013-05-22 Thread Aaron Stellman
On Mon, May 20, 2013 at 08:24:06PM +0100, Stuart Henderson wrote: > If you make it a couple of paragraphs past the table, there is this > paragraph, which is rather clear: > > Using AES-GMAC or NULL with ESP will only provide authentication. This > is useful in setups where AH can not b

Re: iked(8) and GCM

2013-05-20 Thread Stuart Henderson
On 2013/05/20 10:56, Aaron Stellman wrote: > On Sat, May 18, 2013 at 04:30:43AM +0200, Reyk Floeter wrote: > > You're mixing up GCM and GMAC. You have to update your config to use > > aes-256-gcm instead of aes-256-gmac! The GMAC is actually only the > > authentication part and it is not encrypti

Re: iked(8) and GCM

2013-05-20 Thread Aaron Stellman
On Sat, May 18, 2013 at 04:30:43AM +0200, Reyk Floeter wrote: > You're mixing up GCM and GMAC. You have to update your config to use > aes-256-gcm instead of aes-256-gmac! The GMAC is actually only the > authentication part and it is not encrypting the payload. You can > see it as "childsa enc n

Re: iked(8) and GCM

2013-05-17 Thread Reyk Floeter
Hi, On Fri, May 17, 2013 at 12:55:15PM -0700, Aaron Stellman wrote: > Before I proceed, I realize that iked is not yet finished and is missing > some important security features. I am just pointing out something that > may not be known, and perhaps should be addressed. > ... > ikev2 esp from 10.9

iked(8) and GCM

2013-05-17 Thread Aaron Stellman
Before I proceed, I realize that iked is not yet finished and is missing some important security features. I am just pointing out something that may not be known, and perhaps should be addressed. I have a very simple instance of 2 qemu machines, running same snapshot of 5.3-current: OpenBSD openbs