Re: Inbound processing of ESP packet

[Stephen Kent <kent@bbn.com>]

>On Mon, 15 Jan 2001, Steven M. Bellovin wrote:
>  > >Normally, packet length is discovered based on link-level framing, either
>  > >supplemented or confirmed by the byte count in the IP header...
>  >
>  > Nope; the IP header value is the only authoritative one.  There may be
>  > link-level padding, such as the minimum frame size on Ethernet.
>
>As I said:  "either supplemented..." (that is, the IP header value is
>needed to pin down where the packet ends and the padding starts, when
>the frame as received is oversize).
>
>  > The link-level length is checked to ensure that enough data was
>  > received to accomodate the IP header's value.
>
>"...or confirmed".
>
>When two numbers have to agree, speaking of one as "authoritative" is
>questionable usage.  And any real implementation initially allocates space
>based on the frame size -- the size of the packet as received is however
>many bytes were received, with the IP header consulted only to remove
>padding and verify consistency.

Steve Bellovin is right, Henry. A LAN interface may include padding 
after the end of the IP packet when the packet is delivered from 
layer 2 to layer 3 (or from lower layer 3 to IP). The IP total length 
field is what defines the end of the IP packet, not a byte count from 
a lower layer protocol.

Steve

---

Follow-Ups:

• Re: Inbound processing of ESP packet
• From: Henry Spencer <henry@spsystems.net>

References:

• Re: Inbound processing of ESP packet
• From: Henry Spencer <henry@spsystems.net>

---

• Prev by Date: Re: Protection of port 500
• Next by Date: Re: Manual SA SPI range
• Prev by thread: Re: Inbound processing of ESP packet
• Next by thread: Re: Inbound processing of ESP packet
• Index(es):
  • Main
  • Thread