[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Inbound processing of ESP packet



On Sun, 14 Jan 2001, Pervaiz Rizvi wrote:
>        [ [SPI] [Seq#] [IV] [encrypted payload] [auth data] ]
> How does the IPsec stack know the size of the encrypted payload?

Normally, packet length is discovered based on link-level framing, either
supplemented or confirmed by the byte count in the IP header.  The IPsec
stack is *told* how many bytes it's getting, total.  The SPI identifies
the SA, and the SA tells the IPsec stack what authentication algorithm is
used, which determines how long the "auth data" section is.  The length of
the "encrypted payload" section is determined by subtraction.  The
contents of that section, after decryption, are self-describing. 

                                                          Henry Spencer
                                                       henry@spsystems.net



References: