[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Inbound processing of ESP packet
On Mon, 15 Jan 2001, Pervaiz Rizvi wrote:
> Now it must get to the start of the ESP trailer. Since it does not know
> the length of the encrypted payload, how does it find the start
> of the ESP trailer in the packet?
It doesn't have to find the *start* of the trailer, only the *end*, because
the Pad Length and Next Header fields are at the end, not at the start.
It authenticates the whole packet, then decrypts the encrypted payload.
The second-last byte of the decrypted result is the pad length. If that
byte's value is N, the last N+2 bytes of the decrypted result are the
trailer.
Henry Spencer
henry@spsystems.net
References: