[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Inbound processing of ESP packet
>I am confused about how the inbound processing of ESP
>packet is done.
> [ [SPI] [Seq#] [IV] [encrypted payload] [auth data] ]
>How does the IPsec stack know the size of the encrypted payload?
>Or how does it avoid having to know it?
assume we do not have authentication data. we can know the
(unencrypted) payload length by pad length.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ----
| Security Parameters Index (SPI) | ^Auth.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov-
| Sequence Number | |erage
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ----
| Payload Data* (variable) | | ^
~ ~ | |
| | |Conf.
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov-
| | Padding (0-255 bytes) | |erage*
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | Pad Length | Next Header | v v
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ------
>Also, since the Auth trailer follows the encrypted payload
>and since the inbound processing routine does not
>know the length of the encrypted payload, how does the
>stack do authenticate the packet prior to encryption?
when both ends agree upon a configuration, they agrees on
authentication trailer length. so both ends know authentication
trailer length. then you can subtract pad length to know the
unencrypted payload length.
itojun
References: