[Swan] phase2alg=aes_gcm_c-128-null

Paul Wouters paul at nohats.ca
Thu Jan 21 15:21:27 UTC 2016

On Thu, 21 Jan 2016, Noam Singer wrote:

> Subject: [Swan] phase2alg=aes_gcm_c-128-null

> A quick question about this family of ciphers
> Does the null at the end mean that packets are not authenticated?

No. AES_GCM is what is called an Authenticated Encryption algorithm.
It does both encryption and authentication in one pass.

See: https://en.wikipedia.org/wiki/Authenticated_encryption

On the wire, these authenticated encryption algorithms are send as
"encryption" proposals. The null means "do not add a separate
authentication proposal". We should really fixup the parser so it
does not need that null, but for now you need to specify it.

note that for IKE, the authentication algoritm is also used as PRF,
but you cannot use an authenticated encryption algorithm as PRF,
so there we read the second argument as PRF, eg ike=aes_gcm-sha2.

libreswan will reject any proposal that does not have a valid method
of encryption AND authentication, including when using esp=null, so
you can never generate or accept an IPsec proposal that's lacking


More information about the Swan mailing list