[Swan-dev] what key-lengths to propose for IKEv2 ike=aes-... and esp=aes-...
Andrew Cagney
andrew.cagney at gmail.com
Mon Nov 28 16:59:01 UTC 2016
Given IKEv2 config lines like:
ike=aes-...
esp=aes-...
i.e., when no key length was explicitly specified, then pluto will propose:
ike: aes_256 then aes_128
esp: aes_128 then aes_256
i.e., ike and esp have key-lengths in the opposite order
The behaviour is long standing - tests require this - but I'm left
wondering how much of this still makes sense.
Details:
For the case when there is no explicit key length, and it isn't 3DES,
IKEv2 will propose one (same) or both (different) of:
- keydeflen
- keymaxlen (aka max(encrypt->key_bit_lengths[]))
with the order being determined by IKE vs ESP.
Andrew
More information about the Swan-dev
mailing list