idnits 2.17.1 draft-mcgrew-gcm-test-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.ii or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 9, 2009) is 5524 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. McGrew 3 Internet-Draft Cisco Systems, Inc. 4 Intended status: Standards Track March 9, 2009 5 Expires: September 10, 2009 7 Test Cases for the use of Galois/Counter Mode (GCM) and Galois Message 8 Authentication Code (GMAC) in IPsec ESP 9 draft-mcgrew-gcm-test-01.txt 11 Status of this Memo 13 This Internet-Draft is submitted to IETF in full conformance with the 14 provisions of BCP 78 and BCP 79. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as Internet- 19 Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt. 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 This Internet-Draft will expire on September 10, 2009. 34 Copyright Notice 36 Copyright (c) 2009 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents in effect on the date of 41 publication of this document (http://trustee.ietf.org/license-info). 42 Please review these documents carefully, as they describe your rights 43 and restrictions with respect to this document. 45 Abstract 47 This note provides test cases for the use of AES GCM and GMAC in ESP, 48 as defined in RFC4106 and RFC4543, and clarifies some points in the 49 latter specification. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 1.1. Conventions Used In This Document . . . . . . . . . . . . 3 55 2. AES-GCM in ESP . . . . . . . . . . . . . . . . . . . . . . . . 4 56 3. AES-GMAC in ESP . . . . . . . . . . . . . . . . . . . . . . . 5 57 4. Test Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 6 58 5. Security Considerations . . . . . . . . . . . . . . . . . . . 22 59 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 60 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24 61 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25 62 8.1. Normative References . . . . . . . . . . . . . . . . . . . 25 63 8.2. Informative References . . . . . . . . . . . . . . . . . . 25 64 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 26 66 1. Introduction 68 This document reviews the use of the Galois/Counter Mode (GCM) and 69 Galois Message Authentication Code (GMAC) modes of operation for the 70 Advanced Encryption Standard as they are used in the Encapsulating 71 Security Payload (ESP) [RFC4303]. 73 1.1. Conventions Used In This Document 75 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 76 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 77 document are to be interpreted as described in [RFC2119]. 79 2. AES-GCM in ESP 81 We briefly review the AES-GCM-ESP and AES-GMAC-ESP definitions and 82 establish the notation used in the test cases. The GCM encryption 83 operation takes as input a key, a nonce, a plaintext, and an 84 additional authenticated data (AAD) value. It outputs a ciphertext 85 and an authentication tag, or "tag" for short. Here we follow 86 [RFC4106] and refer to the GCM initialization vector (IV) as a nonce 87 in order to differentiate it from the IV that is carried in the ESP 88 packet. The eight-byte ESP IV forms part of the 12-byte GCM nonce. 90 In [RFC4106], "The Use of Galois/Counter Mode (GCM) in IPsec ESP", 91 the GCM inputs and ESP fields are as follows: 93 nonce = Salt || IV 94 aad = SPI || SequenceNumber 95 plaintext = RestOfPayloadData || TFCpadding || Padding || 96 PadLength || NextHeader 97 PayloadData = IV || ciphertext 98 ICV = tag 100 Figure 1: The format of the GCM inputs and ESP fields for AES-GCM- 101 ESP, where the symbol || denotes concatenation. 103 Here the fields RestOfPayloadData, TFCpadding, Padding, PadLength, 104 NextHeader, SPI, SequenceNumber, and ICV are as defined in [RFC4303] 105 and the fields Salt and IV are as defined in [RFC4106]. The field 106 RestOfPayloadData contains the plaintext data that is described by 107 the NextHeader field, and no other data. (Recall that the 108 PayloadData field contains both the IV and the RestOfPayloadData; see 109 [RFC4303] for an illustration.) 111 [RFC4106] defines the tag as the ICV, instead of defining it as the 112 final part of the Payload Data. However, the two definitions are 113 functionally equivalent. 115 3. AES-GMAC in ESP 117 In RFC 4543, "The Use of Galois Message Authentication Code (GMAC) in 118 IPsec ESP and AH", the GMAC inputs and ESP fields are as follows: 120 nonce = Salt || IV 121 aad = SPI || SequenceNumber || IV || 122 RestOfPayloadData || TFCpadding || Padding || 123 PadLength || NextHeader 124 plaintext = {} 125 Payload = IV || PayloadData || TFCpadding || Padding || 126 PadLength || NextHeader 127 ICV = tag 129 Figure 2: The format of the GMAC inputs for ESP. 131 Here the symbol {} refers to the zero-length octet string. 133 The "Payload Data" is called the "Authenticated Payload" in one part 134 of RFC 4543. It consists of the eight-octet IV, followed by the data 135 encapsulated by ESP, that is, the data referred to by the Next Header 136 field. 138 RFC 4543, Section 7 (Security Considerations), second sentence, 139 should read "In AES-GCM-ESP, the IV is not included in either the 140 plaintext or the additional authenticated data." It currently 141 contains a typographical error, and reads "In 142 ENCR_NULL_AUTH_AES_GMAC, the IV is not included in either the 143 plaintext or the additional authenticated data." 145 4. Test Cases 147 Here are the test cases. 149 algorithm - The algorithm used in the test case. 151 key - The secret key used by AES-GCM or AES-GMAC. 153 spi - The ESP SPI field. 155 seq - The ESP Sequence Number field, if the length is four octets, 156 or the ESP Extended Sequence Number, if the length is eight 157 octets. 159 nonce - The AES-GCM or AES-GMAC nonce; it is an input to the 160 algorithm. 162 plaintext - The AES-GCM plaintext, which is an input to that 163 algorithm. 165 aad - The AES-GCM or AES-GMAC additional authenticated data; it is 166 an input to that algorithm. 168 ctext+tag - The AES-GCM ciphertext and authentication tag, or the 169 AES-GMAC authentication tag; this is an output from the algorithm. 171 packet - The complete ESP packet. 173 algorithm = AES-GCM-ESP 174 key = 4c80cdefbb5d10da906ac73c3613a634 175 (16 octets) 176 spi = 00004321 177 seq = 8765432100000000 178 (8 octets) 179 nonce = 2e443b684956ed7e3b244cfe 180 plaintext = 45000048699a000080114db7c0a80102 181 c0a801010a9bf15638d3010000010000 182 00000000045f736970045f7564700373 183 69700963796265726369747902646b00 184 0021000101020201 185 (72 octets) 186 aad = 000043218765432100000000 187 (12 octets) 188 ctext+tag = fecf537e729d5b07dc30df528dd22b76 189 8d1b98736696a6fd348509fa13ceac34 190 cfa2436f14a3f3cf65925bf1f4a13c5d 191 15b21e1884f5ff6247aeabb786b93bce 192 61bc17d768fd9732459018148f6cbe72 193 2fd04796562dfdb4 194 (88 octets) 195 packet = 00004321000000004956ed7e3b244cfe 196 fecf537e729d5b07dc30df528dd22b76 197 8d1b98736696a6fd348509fa13ceac34 198 cfa2436f14a3f3cf65925bf1f4a13c5d 199 15b21e1884f5ff6247aeabb786b93bce 200 61bc17d768fd9732459018148f6cbe72 201 2fd04796562dfdb4 202 (104 octets) 204 algorithm = AES-GCM-ESP 205 key = feffe9928665731c6d6a8f9467308308 206 (16 octets) 207 spi = 0000a5f8 208 seq = 0000000a 209 (4 octets) 210 nonce = cafebabefacedbaddecaf888 211 plaintext = 4500003e698f000080114dccc0a80102 212 c0a801010a980035002a2343b2d00100 213 00010000000000000373697009637962 214 65726369747902646b00000100010001 215 (64 octets) 216 aad = 0000a5f80000000a 217 (8 octets) 218 ctext+tag = deb22cd9b07c72c16e3a65beeb8df304 219 a5a5897d33ae530f1ba76d5d114d2a5c 220 3de81827c10e9a4f51330d0eec416642 221 cfbb85a5b47e48a4ec3b9ba95d918bd1 222 83b70d3aa8bc6ee4c309e9d85a41ad4a 223 (80 octets) 224 packet = 0000a5f80000000afacedbaddecaf888 225 deb22cd9b07c72c16e3a65beeb8df304 226 a5a5897d33ae530f1ba76d5d114d2a5c 227 3de81827c10e9a4f51330d0eec416642 228 cfbb85a5b47e48a4ec3b9ba95d918bd1 229 83b70d3aa8bc6ee4c309e9d85a41ad4a 230 (96 octets) 232 algorithm = AES-GCM-ESP 233 key = abbccddef00112233445566778899aab 234 abbccddef00112233445566778899aab 235 (32 octets) 236 spi = 4a2cbfe3 237 seq = 00000002 238 (4 octets) 239 nonce = 112233440102030405060708 240 plaintext = 4500003069a6400080062690c0a80102 241 9389155e0a9e008b2dc57ee000000000 242 7002400020bf0000020405b401010402 243 01020201 244 (52 octets) 245 aad = 4a2cbfe300000002 246 (8 octets) 247 ctext+tag = ff425c9b724599df7a3bcd510194e00d 248 6a78107f1b0b1cbf06efae9d65a5d763 249 748a637985771d347f0545659f14e99d 250 ef842d8eb335f4eecfdbf831824b4c49 251 15956c96 252 (68 octets) 253 packet = 4a2cbfe3000000020102030405060708 254 ff425c9b724599df7a3bcd510194e00d 255 6a78107f1b0b1cbf06efae9d65a5d763 256 748a637985771d347f0545659f14e99d 257 ef842d8eb335f4eecfdbf831824b4c49 258 15956c96 259 (84 octets) 261 algorithm = AES-GCM-ESP 262 key = 00000000000000000000000000000000 263 (16 octets) 264 spi = 00000000 265 seq = 00000001 266 (4 octets) 267 nonce = 000000000000000000000000 268 plaintext = 4500003c99c500008001cb7a40679318 269 010101010800075c0200440061626364 270 65666768696a6b6c6d6e6f7071727374 271 75767761626364656667686901020201 272 (64 octets) 273 aad = 0000000000000001 274 (8 octets) 275 ctext+tag = 4688daf2f973a392732909c331d56d60 276 f694abaa414b5e7ff5fdcdfff5e9a284 277 456476492719ffb64de7d9dca1e1d894 278 bc3bd57873ed4d181d19d4d5c8c18af3 279 f821d496eeb096e98ad2b69e4799c71d 280 (80 octets) 281 packet = 00000000000000010000000000000000 282 4688daf2f973a392732909c331d56d60 283 f694abaa414b5e7ff5fdcdfff5e9a284 284 456476492719ffb64de7d9dca1e1d894 285 bc3bd57873ed4d181d19d4d5c8c18af3 286 f821d496eeb096e98ad2b69e4799c71d 287 (96 octets) 289 algorithm = AES-GCM-ESP 290 key = 3de09874b388e6491988d0c3607eae1f 291 (16 octets) 292 spi = 42f67e3f 293 seq = 1010101010101010 294 (8 octets) 295 nonce = 57690e434e280000a2fca1a3 296 plaintext = 4500003c99c300008001cb7c40679318 297 010101010800085c0200430061626364 298 65666768696a6b6c6d6e6f7071727374 299 75767761626364656667686901020201 300 (64 octets) 301 aad = 42f67e3f1010101010101010 302 (12 octets) 303 ctext+tag = fba2caa4853cf9f0f22cb10d86dd83b0 304 fec75691cf1a04b00d1138ec9c357917 305 65acbd8701ad79845bf9fe3fba487bc9 306 1755e6662b4c8d0d1f5e22739530320a 307 e0d731cc978ecafaeae88f00e80d6e48 308 (80 octets) 309 packet = 42f67e3f101010104e280000a2fca1a3 310 fba2caa4853cf9f0f22cb10d86dd83b0 311 fec75691cf1a04b00d1138ec9c357917 312 65acbd8701ad79845bf9fe3fba487bc9 313 1755e6662b4c8d0d1f5e22739530320a 314 e0d731cc978ecafaeae88f00e80d6e48 315 (96 octets) 317 algorithm = AES-GCM-ESP 318 key = 3de09874b388e6491988d0c3607eae1f 319 (16 octets) 320 spi = 42f67e3f 321 seq = 1010101010101010 322 (8 octets) 323 nonce = 57690e434e280000a2fca1a3 324 plaintext = 4500001c42a200008001441f406793b6 325 e00000020a00f5ff01020201 326 (28 octets) 327 aad = 42f67e3f1010101010101010 328 (12 octets) 329 ctext+tag = fba2ca845e5df9f0f22c3e6e86dd831e 330 1fc65792cd1af9130e1379ed369f071f 331 35e034be95f112e4e7d05d35 332 (44 octets) 333 packet = 42f67e3f101010104e280000a2fca1a3 334 fba2ca845e5df9f0f22c3e6e86dd831e 335 1fc65792cd1af9130e1379ed369f071f 336 35e034be95f112e4e7d05d35 337 (60 octets) 339 algorithm = AES-GCM-ESP 340 key = feffe9928665731c6d6a8f9467308308 341 feffe9928665731c 342 (24 octets) 343 spi = 0000a5f8 344 seq = 0000000a 345 (4 octets) 346 nonce = cafebabefacedbaddecaf888 347 plaintext = 45000028a4ad4000400678800a01038f 348 0a010612802306b8cb712602dd6bb03e 349 501016d075680001 350 (40 octets) 351 aad = 0000a5f80000000a 352 (8 octets) 353 ctext+tag = a5b1f8066029aea40e598b8122de0242 354 0938b3ab33f828e687b8858b5bfbdbd0 355 315b27452144cc7795457b9652037f53 356 18027b5b4cd7a636 357 (56 octets) 358 packet = 0000a5f80000000afacedbaddecaf888 359 a5b1f8066029aea40e598b8122de0242 360 0938b3ab33f828e687b8858b5bfbdbd0 361 315b27452144cc7795457b9652037f53 362 18027b5b4cd7a636 363 (72 octets) 365 algorithm = AES-GCM-ESP 366 key = abbccddef00112233445566778899aab 367 (16 octets) 368 spi = 00000100 369 seq = 0000000000000001 370 (8 octets) 371 nonce = decaf888cafedebaceface74 372 plaintext = 4500004933ba00007f119106c3fb1d10 373 c2b1d326c02831ce0035dd7b800302d5 374 00004e20001e8c18d75b81dc91baa047 375 6b91b924b280389d92c963bac046ec95 376 9b6266c04722b14923010101 377 (76 octets) 378 aad = 000001000000000000000001 379 (12 octets) 380 ctext+tag = 18a6fd42f72cbf4ab2a2ea901f73d814 381 e3e7f243d95412e1c349c1d2fbec168f 382 9190feebaf2cb01984e65863965d7472 383 b79da345e0e780191f0d2f0e0f496c22 384 6f2127b27db35724e7845d68651f57e6 385 5f354f75ff17015769623436 386 (92 octets) 387 packet = 0000010000000001cafedebaceface74 388 18a6fd42f72cbf4ab2a2ea901f73d814 389 e3e7f243d95412e1c349c1d2fbec168f 390 9190feebaf2cb01984e65863965d7472 391 b79da345e0e780191f0d2f0e0f496c22 392 6f2127b27db35724e7845d68651f57e6 393 5f354f75ff17015769623436 394 (108 octets) 396 algorithm = AES-GCM-ESP 397 key = abbccddef00112233445566778899aab 398 abbccddef00112233445566778899aab 399 (32 octets) 400 spi = 17405e67 401 seq = 156f3126dd0db99b 402 (8 octets) 403 nonce = 73616c74616e640169766563 404 plaintext = 45080028732c00004006e9f90a010612 405 0a01038f06b88023dd6bafbecb712602 406 50101f646d540001 407 (40 octets) 408 aad = 17405e67156f3126dd0db99b 409 (12 octets) 410 ctext+tag = f2d69ecdbd5a0d5b8d5ef38bad4da58d 411 1f278fde98ef67549d524a3018d9a57f 412 f4d3a31ce673119e451626c2415771e3 413 b7eebca614c89b35 414 (56 octets) 415 packet = 17405e67dd0db99b616e640169766563 416 f2d69ecdbd5a0d5b8d5ef38bad4da58d 417 1f278fde98ef67549d524a3018d9a57f 418 f4d3a31ce673119e451626c2415771e3 419 b7eebca614c89b35 420 (72 octets) 422 algorithm = AES-GCM-ESP 423 key = 3de09874b388e6491988d0c3607eae1f 424 (16 octets) 425 spi = 42f67e3f 426 seq = 1010101010101010 427 (8 octets) 428 nonce = 57690e434e280000a2fca1a3 429 plaintext = 45000049333e00007f119182c3fb1d10 430 c2b1d326c02831ce0035cb458003025b 431 000001e0001e8c18d65759d52284a035 432 2c71475c8880391c764d6e5ee0496b32 433 5ae270c03899493915010101 434 (76 octets) 435 aad = 42f67e3f1010101010101010 436 (12 octets) 437 ctext+tag = fba2cad12fc1f9f00d3cebf305410db8 438 3d7784b607323d220f24b0a97d541828 439 00cadb0f68d99ef0e0c0c89ae9bea888 440 4e52d65bc1afd0740f742444747b5b39 441 ab533163aad4550ee5160975cdb608c5 442 769189609763b8e18caa81e2 443 (92 octets) 444 packet = 42f67e3f101010104e280000a2fca1a3 445 fba2cad12fc1f9f00d3cebf305410db8 446 3d7784b607323d220f24b0a97d541828 447 00cadb0f68d99ef0e0c0c89ae9bea888 448 4e52d65bc1afd0740f742444747b5b39 449 ab533163aad4550ee5160975cdb608c5 450 769189609763b8e18caa81e2 451 (108 octets) 453 algorithm = AES-GCM-ESP 454 key = abbccddef00112233445566778899aab 455 abbccddef00112233445566778899aab 456 (32 octets) 457 spi = 17405e67 458 seq = 156f3126dd0db99b 459 (8 octets) 460 nonce = 73616c74616e640169766563 461 plaintext = 636973636f0172756c65730174686501 462 6e6574776501646566696e6501746865 463 746563686e6f6c6f6769657301746861 464 7477696c6c01646566696e65746f6d6f 465 72726f7701020201 466 (72 octets) 467 aad = 17405e67156f3126dd0db99b 468 (12 octets) 469 ctext+tag = d4b7ed86a1777f2ea13d6973d324c69e 470 7b43f826fb56831226508bebd2dceb18 471 d0a6df10e5487df074113e14c641024e 472 3e6773d91a62ee429b043a10e3efe6b0 473 12a49363412364f8c0cac587f249e56b 474 11e24f30e44ccc76 475 (88 octets) 476 packet = 17405e67dd0db99b616e640169766563 477 d4b7ed86a1777f2ea13d6973d324c69e 478 7b43f826fb56831226508bebd2dceb18 479 d0a6df10e5487df074113e14c641024e 480 3e6773d91a62ee429b043a10e3efe6b0 481 12a49363412364f8c0cac587f249e56b 482 11e24f30e44ccc76 483 (104 octets) 485 algorithm = AES-GCM-ESP 486 key = 7d773d00c144c525ac619d18c84a3f47 487 (16 octets) 488 spi = 335467ae 489 seq = ffffffff 490 (4 octets) 491 nonce = d966426743457e9182443bc6 492 plaintext = 01020201 493 (4 octets) 494 aad = 335467aeffffffff 495 (8 octets) 496 ctext+tag = 437f866bcb3f699fe9b0822bac961c45 497 04bef270 498 (20 octets) 499 packet = 335467aeffffffff43457e9182443bc6 500 437f866bcb3f699fe9b0822bac961c45 501 04bef270 502 (36 octets) 504 algorithm = AES-GCM-ESP 505 key = abbccddef00112233445566778899aab 506 (16 octets) 507 spi = 00000100 508 seq = 0000000000000001 509 (8 octets) 510 nonce = decaf888cafedebaceface74 511 plaintext = 746f016265016f72016e6f7401746f01 512 62650001 513 (20 octets) 514 aad = 000001000000000000000001 515 (12 octets) 516 ctext+tag = 29c9fc69a197d038ccdd14e2ddfcaa05 517 43332164412503524303ed3c6c5f2838 518 43af8c3e 519 (36 octets) 520 packet = 0000010000000001cafedebaceface74 521 29c9fc69a197d038ccdd14e2ddfcaa05 522 43332164412503524303ed3c6c5f2838 523 43af8c3e 524 (52 octets) 526 algorithm = AES-GCM-ESP 527 key = 6c6567616c697a656d6172696a75616e 528 61616e64646f69746265666f72656961 529 (32 octets) 530 spi = 796b6963 531 seq = ffffffffffffffff 532 (8 octets) 533 nonce = 7475726e333021696765746d 534 plaintext = 45000030da3a00008001df3bc0a80005 535 c0a800010800c6cd0200070061626364 536 65666768696a6b6c6d6e6f7071727374 537 01020201 538 (52 octets) 539 aad = 796b6963ffffffffffffffff 540 (12 octets) 541 ctext+tag = f97ab2aa356d8edce17644ac8c78e25d 542 d24dedbb29ebf1b64a274b39b49c3a86 543 4cd3d78ca4ae68a32b42458fb57dbe82 544 1dcc63b9d0937ba2945f669368661a32 545 9fb4c053 546 (68 octets) 547 packet = 796b6963ffffffff333021696765746d 548 f97ab2aa356d8edce17644ac8c78e25d 549 d24dedbb29ebf1b64a274b39b49c3a86 550 4cd3d78ca4ae68a32b42458fb57dbe82 551 1dcc63b9d0937ba2945f669368661a32 552 9fb4c053 553 (84 octets) 555 algorithm = AES-GMAC-ESP 556 key = 4c80cdefbb5d10da906ac73c3613a634 557 (16 octets) 558 spi = 00004321 559 seq = 00000007 560 (4 octets) 561 nonce = 22433c640000000000000000 562 plaintext = (0 octets) 563 aad = 00004321000000070000000000000000 564 45000030da3a00008001df3bc0a80005 565 c0a800010800c6cd0200070061626364 566 65666768696a6b6c6d6e6f7071727374 567 01020201 568 (68 octets) 569 ctext+tag = (16 octets) 570 packet = 00004321000000070000000000000000 571 45000030da3a00008001df3bc0a80005 572 c0a800010800c6cd0200070061626364 573 65666768696a6b6c6d6e6f7071727374 574 01020201f2a9a836e155106aa8dcd618 575 e4099aaa 576 (84 octets) 578 algorithm = AES-GCM-ESP 579 key = 3de09874b388e6491988d0c3607eae1f 580 (16 octets) 581 spi = 3f7ef642 582 seq = 1010101010101010 583 (8 octets) 584 nonce = 57690e434e280000a2fca1a3 585 plaintext = 45000030da3a00008001df3bc0a80005 586 c0a800010800c6cd0200070061626364 587 65666768696a6b6c6d6e6f7071727374 588 01020201 589 (52 octets) 590 aad = 3f7ef6421010101010101010 591 (12 octets) 592 ctext+tag = fba2caa8c6c5f9f0f22ca54a061210ad 593 3f6e5791cf1aca210d117cec9c357917 594 65acbd8701ad79845bf9fe3fba487bc9 595 6321930684eecadb56912546e7a95c97 596 40d7cb05 597 (68 octets) 598 packet = 3f7ef642101010104e280000a2fca1a3 599 fba2caa8c6c5f9f0f22ca54a061210ad 600 3f6e5791cf1aca210d117cec9c357917 601 65acbd8701ad79845bf9fe3fba487bc9 602 6321930684eecadb56912546e7a95c97 603 40d7cb05 604 (84 octets) 606 algorithm = AES-GCM-ESP 607 key = 4c80cdefbb5d10da906ac73c3613a634 608 (16 octets) 609 spi = 00004321 610 seq = 8765432100000007 611 (8 octets) 612 nonce = 22433c644855ec7d3a234bfd 613 plaintext = 0800c6cd020007006162636465666768 614 696a6b6c6d6e6f707172737401020201 615 (32 octets) 616 aad = 000043218765432100000007 617 (12 octets) 618 ctext+tag = 74752e8aeb5d873cd7c0f4acc36c4bff 619 84b7d7b98f0ca8b6acda6894bc619069 620 ef9cbc28fe1b56a7c4e0d58c86cd2bc0 621 (48 octets) 622 packet = 00004321000000074855ec7d3a234bfd 623 74752e8aeb5d873cd7c0f4acc36c4bff 624 84b7d7b98f0ca8b6acda6894bc619069 625 ef9cbc28fe1b56a7c4e0d58c86cd2bc0 626 (64 octets) 628 5. Security Considerations 630 An improperly implemented crypto algorithm may be insecure. 632 6. IANA Considerations 634 This document has no actions for IANA. 636 7. Acknowledgements 638 Thanks to Arpan Srivastava and Aravindhan P. for generating and 639 validating test cases. 641 8. References 643 8.1. Normative References 645 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 646 Requirement Levels", BCP 14, RFC 2119, March 1997. 648 8.2. Informative References 650 [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode 651 (GCM) in IPsec Encapsulating Security Payload (ESP)", 652 RFC 4106, June 2005. 654 [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", 655 RFC 4303, December 2005. 657 Author's Address 659 David A. McGrew 660 Cisco Systems, Inc. 661 510 McCarthy Blvd. 662 Milpitas, CA 95035 663 US 665 Phone: (408) 525 8651 666 Email: mcgrew@cisco.com 667 URI: http://www.mindspring.com/~dmcgrew/dam.htm