Re: Inbound processing of ESP packet

[Stephen Kent <kent@bbn.com>]

At 9:07 PM -0800 1/14/01, Pervaiz Rizvi wrote:
>I am confused about how the inbound processing of ESP
>packet is done.
>
>        [ [SPI] [Seq#] [IV] [encrypted payload] [auth data] ]
>
>How does the IPsec stack know the size of the encrypted payload?
>Or how does it avoid having to know it?
>
>Also, since the Auth trailer follows the encrypted payload
>and since the inbound processing routine does not
>know the length of the encrypted payload, how does the
>stack do authenticate the packet prior to encryption?

Your diagram is incomplete. You have omitted the IP header that comes 
before the SPI, in both transport and tunnel modes. Also you show an 
IV with is algorithm and mode dependent, i.e., not always present and 
of a length defined by SA parameters.

The end of the IPsec packet is specified by the outer IP header, so 
we know where the auth trailer is. Also, since the SPI, destination 
addr from that header and the IPsec protocol{here assumed to be ESP) 
uniquely identify an SA, the recipient knows whether the auth trailer 
is present, and its length, since the algotihm used to compute the 
auth trailer is constant for the life of the SA.

With this knowledge, the recipient can check the packet integrity 
prior to decrypting the encrypted payload. At the end of that 
payload, when decrypted, will be the real next header field and a 
padding length field, in a completely determined location. So, what's 
the problem?

Steve

---

References:

• Inbound processing of ESP packet
• From: Pervaiz Rizvi <shoaib21@juno.com>

---

• Prev by Date: Re: Protection of port 500
• Next by Date: Re: Protection of port 500
• Prev by thread: Re: Inbound processing of ESP packet
• Next by thread: Re: Inbound processing of ESP packet
• Index(es):
  • Main
  • Thread