RE: How to pass AES rounds number through PF_KEY interface

["Andrew Wenlang Zhu" <Andrew_zhu@hp.com>]

In <<The AES Cipher Algorithm and Its Use With IPsec>>
<draft-ietf-ipsec-cipher-aes-cbc-03.txt> of section 2.5. it reads "Rounds:
This variable determines how many times a block is encrypted.  While this
variable MAY be negotiated, a default value MUST always exist when it is not
negotiated. Within IPsec, the AES MUST support 10 rounds, corresponding to
the mandatory 128-bit keysize.
The AES's default number of rounds is 12 for a 192-bit keysize and 14 for a
256-bit keysize."

The Draft do have a default rounds number for each key size. I suggest to
get rid of the "MAY" for the Rounds number negotiation because there is no
significant benefit in changing rounds number.

-- Andrew Zhu

>-----Original Message-----
>From: owner-ipsec@lists.tislabs.com
>[mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Sandy Harris
>Sent: Tuesday, March 12, 2002 12:39 PM
>Cc: ipsec@lists.tislabs.com
>Subject: Re: How to pass AES rounds number through PF_KEY interface
>
>
>Andrew Wenlang Zhu wrote:
>
>> Since the AES rounds number MAY be negotiated according to the
>> Internet Draft <<The AES Cipher Algorithm and Its Use With IPsec>>
>> <draft-ietf-ipsec-cipher-aes-cbc-03.txt>,
>
>If so, methinks the draft should change. In the original Rijndael
>spec, and I presume in the final AES, the number of rounds depends
>on key (and, for original Rijndael, block) size, but does not vary
>other than that.
>
>There should never be a need to negotiate or set number of rounds.
>Set the key size (for AES, block size is fixed at 128) and the
>number of rounds is determined.
>
>I think it's 10, 12, 14 for 128, 192, 256, but I haven't got the
>spec to hand and am not entirely certain.
>
>> I need to find a way to pass the rounds number from IKE to kernel
>> to install the SA. Unfortunately, I can not
>> find a pre-defined parameter to transfer this number.
>>
>> How do you transfer the AES rounds number in PF_KEY?
>