[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Inbound processing of ESP packet

To: Henry Spencer <henry@spsystems.net>
Subject: Re: Inbound processing of ESP packet
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Mon, 15 Jan 2001 12:51:14 -0500
Cc: IP Security List <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com

In message <Pine.BSI.3.91.1010115111414.17151B-100000@spsystems.net>, Henry Spe
ncer writes:
>On Sun, 14 Jan 2001, Pervaiz Rizvi wrote:
>>        [ [SPI] [Seq#] [IV] [encrypted payload] [auth data] ]
>> How does the IPsec stack know the size of the encrypted payload?
>
>Normally, packet length is discovered based on link-level framing, either
>supplemented or confirmed by the byte count in the IP header.  The IPsec
>stack is *told* how many bytes it's getting, total.  The SPI identifies
>the SA, and the SA tells the IPsec stack what authentication algorithm is
>used, which determines how long the "auth data" section is.  The length of
>the "encrypted payload" section is determined by subtraction.  The
>contents of that section, after decryption, are self-describing. 

Nope; the IP header value is the only authoritative one.  There may be 
link-level padding, such as the minimum frame size on Ethernet.
The link-level length is checked to ensure that enough data was 
received to accomodate the IP header's value.


		--Steve Bellovin, http://www.research.att.com/~smb

Follow-Ups:

Re: Inbound processing of ESP packet

From: Henry Spencer <henry@spsystems.net>

Prev by Date: Re: Inbound processing of ESP packet
Next by Date: Re: Inbound processing of ESP packet
Prev by thread: Re: Inbound processing of ESP packet
Next by thread: Re: Inbound processing of ESP packet
Index(es):
- Main
- Thread