[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Inbound processing of ESP packet



On Sun, Jan 14, 2001 at 09:07:22PM -0800, Pervaiz Rizvi wrote:

> I am confused about how the inbound processing of ESP 
> packet is done.
> 
>        [ [SPI] [Seq#] [IV] [encrypted payload] [auth data] ]
> 
> How does the IPsec stack know the size of the encrypted payload?
> Or how does it avoid having to know it?
The encrypted payload contains padding data and the type of data
contained within:
(...encrypted data...) (padding data) (pad length) (type)
Padding is neccessary both for block mode algorithms and 32 bit alignment.
So your data length is:
 Enc.payl.length - pad length - 2 (1 byte pad length info, 1 byte type)

> Also, since the Auth trailer follows the encrypted payload
> and since the inbound processing routine does not
> know the length of the encrypted payload, how does the 
> stack do authenticate the packet prior to encryption?
The auth trailer is calculated _after_ encrypting the payload.

Stefan.

-- 
*--- please cut here... -------------------------------------- thanks! ---*
|-> E-Mail: stefan.schlott@informatik.uni-ulm.de    PGP-Key: 0x2F36F4FE <-|
*-------------------------------------------------------------------------*


References: