Re: linux-ipsec: ERROR_MESSAGES: spi invalid key message needs to be better.

>>>>> "Jim" == Jim Gillogly <jimg@mentat.com> writes:

>> spi: Invalid encryption key: 0cabcdefghABCDEFGHabcdefgh

 Jim> Maybe it should be "spi: non-hex digits in encryption key:  Jim> 0cab...gh...GH...gh"

 Jim> The spec also requires the parity to be right, so if that's
 Jim> broken and we're in Fascist mode it could tell us about that
 Jim> too.  I'm not a big fan of that requirement, but I guess it's
 Jim> needed for some hardware implementations of DES.

I don't think there's any ipsec spec that says you have to get parity right. In fact, it's hard to see how that could be possible in dynamic keying.

What everyone is doing instead is to ignore the "parity" bits, or, if they are dealing with some dumb hardware, generating the desired parity bits internally. At the protocol level, the key is simply 64 bits with 8 don't-care bits in it.

        paul Received on Thu Sep 3 11:16:18 1998