[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Inbound processing of ESP packet




If there is auth trailer: evidently the auth must be performed 
prior to decryption:

  1. SPI (processed)
  2. Seq# (processed)
  3. Encrypted payload <---- processing
  4. Auth trailer

The inbound processing finished processing Seq#. I am assuming
that it must finish authenticating the packet before it decrypts it.

Now it must get to the start of the ESP trailer. Since it does not know 
the length of the encrypted payload, how does it find the start
of the ESP trailer in the packet?

Pervaiz

On Mon, 15 Jan 2001 19:23:25 +0900 itojun@iijlab.net writes:
> 
> >I am confused about how the inbound processing of ESP 
> >packet is done.
> >       [ [SPI] [Seq#] [IV] [encrypted payload] [auth data] ]
> >How does the IPsec stack know the size of the encrypted payload?
> >Or how does it avoid having to know it?
> 
> 	assume we do not have authentication data.  we can know the
> 	(unencrypted) payload length by pad length.
> 
>  0                   1                   2                   3
>  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
> ----
> |               Security Parameters Index (SPI)                 | 
> ^Auth.
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
> |Cov-
> |                      Sequence Number                          | 
> |erage
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 
> ----
> |                    Payload Data* (variable)                   | |  
>  ^
> ~                                                               ~ |  
>  |
> |                                                               | 
> |Conf.
> +               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
> |Cov-
> |               |     Padding (0-255 bytes)                     | 
> |erage*
> +-+-+-+-+-+-+-+-+               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |  
>  |
> |                               |  Pad Length   | Next Header   | v  
>  v
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
> ------
> 
> >Also, since the Auth trailer follows the encrypted payload
> >and since the inbound processing routine does not
> >know the length of the encrypted payload, how does the 
> >stack do authenticate the packet prior to encryption?
> 
> 	when both ends agree upon a configuration, they agrees on
> 	authentication trailer length.  so both ends know 
> authentication
> 	trailer length.  then you can subtract pad length to know 
> the
> 	unencrypted payload length.
> 
> itojun


Follow-Ups: