[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Inbound processing of ESP packet
In message <Pine.BSI.3.91.1010115111414.17151B-100000@spsystems.net>, Henry Spe
ncer writes:
>On Sun, 14 Jan 2001, Pervaiz Rizvi wrote:
>> [ [SPI] [Seq#] [IV] [encrypted payload] [auth data] ]
>> How does the IPsec stack know the size of the encrypted payload?
>
>Normally, packet length is discovered based on link-level framing, either
>supplemented or confirmed by the byte count in the IP header. The IPsec
>stack is *told* how many bytes it's getting, total. The SPI identifies
>the SA, and the SA tells the IPsec stack what authentication algorithm is
>used, which determines how long the "auth data" section is. The length of
>the "encrypted payload" section is determined by subtraction. The
>contents of that section, after decryption, are self-describing.
Nope; the IP header value is the only authoritative one. There may be
link-level padding, such as the minimum frame size on Ethernet.
The link-level length is checked to ensure that enough data was
received to accomodate the IP header's value.
--Steve Bellovin, http://www.research.att.com/~smb
Follow-Ups: