[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: padding in ESP

To: lokeshnb@intotoinc.com
Subject: Re: padding in ESP
From: Paul Koning <pkoning@equallogic.com>
Date: Fri, 15 Nov 2002 10:41:36 -0500
Cc: ipsec@lists.tislabs.com
References: <5.1.0.14.0.20021115120149.023d1ec0@172.16.1.10>
Sender: owner-ipsec@lists.tislabs.com

>>>>> "lokeshnb" == lokeshnb  <Lokesh> writes:

 lokeshnb> Hi all One questions each on ESP and AH protocols:

 lokeshnb> 1] why do we need to adjust ESP packet size by padding to
 lokeshnb> be aligned to 4 byte boundary in case of null encryption? 

I'm not sure why that was put in the spec.  But the current answer is
"because it's in the spec".  :-)

 lokeshnb> can we bypass padding for null encryption?

NO.  You'd be violating a mandatory requirement of the spec if you do
that. 

 lokeshnb> 2] AH RFC says ICV can be of variable size, and is normally
 lokeshnb> taken as 12 bytes, in case if someone wants > 12 bytes of
 lokeshnb> ICV how he/she can intimate other party of new size of the
 lokeshnb> ICV?

The ICV size is defined by the authentication transform used.  For
example, if you use HMAC-MD5-96, that means that the ICV is 96 bits,
or 12 bytes.

So if you want a different ICV size for some reason, you'd have to use
a different transform, one that is defined to use a different size
ICV.

Before you do this, you might review the HMAC RFC to see the
explanation of why the 12 byte size is used.  With the possible
exception of SHA2, there's no clear reason why you'd want to change
the 12 byte ICV size.

    paul

References:
- padding in ESP
  - From: Lokesh <lokeshnb@intotoinc.com>

Prev by Date: Re: FQDN goes in commonName or domainComponent?
Next by Date: Re: Adding revised identities to IKEv2
Prev by thread: padding in ESP
Next by thread: Re: padding in ESP
Index(es):
- Date
- Thread