Reg: 16 unknown bytes in ESp packet(IPSEC)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi, 

Not able to understand 16 byetes in ESP packet present after sequence no and before Original IP header while doing tunnel mode Ipsec with ESP.
Details are as below.

I am trying to achieve Ipsec functionality using fast-path application which will do encryption/decryption using some hardware(Cavium) specific API.
This application will by-pass the IP layer of kernel..
Keys for start-up are pre-shared.

Communication is done between two machine A and B.
On Machine A running i386 linux, SA/SP database are updated using setkey utility and packets is encrypted/decrypted using kernel Ipsec.
On Machine B Cavium h/w, keys are pre-shared to application performing Ipsec functionlity...

Example:
M/c A configuration:
add 50.50.50.51 50.50.50.53 esp 15701 -E aes-cbc "0123456789abcdef";
spdadd 10.10.10.20 10.10.10.21 any -P out ipsec
           esp/tunnel/50.50.50.51 50.50.50.53/require


I am able to decrypt received packets on machine B send by M/c A and send encrypted packet to M/c A.
Issue:  
1. Not able to find what are 16 bytes present after sequence no in ESP header and before original IP header representing...

Decrypted  Packet on machine B is like below
Ethernet header  14 bytes    
Outer Ip header   20 bytes
ESP header    SPI 4 bytes      Seq no 4 bytes
Some data         16 bytes       ???????
Original IP header  20 bytes
UDP header
Payload data
Padding
Pad lenght
Next Ip header

2. Packets send from machine B are encrypted and received as ESP packet on machine A.. 
    Not sure if decryption is happening fine...Seems packets are dropped at IP layer.. Is there way to confirm if packet are decrypted fine by kernel IPSEC...
    Encrypted packet send by Machine B is having encrypted payload(of original IP header plus data) after Sequence number of ESP header...
    Seems 16 bytes mentioned above play role for successful decryption at machine A running Linux IPSEC
Any Inputs for same will be appreciated for same

Cheers
Mukesh
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
[Index of Archives]     [Newbies FAQ]     [Linux Kernel Mentors]     [Linux Kernel Development]     [IETF Annouce]     [Git]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux SCSI]     [Linux ACPI]
  Powered by Linux