Date: Mon, 20 Jan 2020 14:41:47 +0700 From: Victor Sudakov <vas@sibptus.ru> To: freebsd-net@freebsd.org Subject: Re: IPSec transport mode, mtu, fragmentation... Message-ID: <20200120074147.GA23877@admin.sibptus.ru> In-Reply-To: <20200119083123.GA31553@stargrave.org> References: <20200116155305.GA465@admin.sibptus.ru> <55f7bafa-24c4-9810-0d21-f82cb332ee2d@grosbein.net> <20200116160745.GA1356@admin.sibptus.ru> <72355e03-1cf8-c58f-3aec-b0a21e631870@grosbein.net> <20200117093645.GA51899@admin.sibptus.ru> <70b0b855-189b-03c2-0712-fc1e35640702@grosbein.net> <c7f5828b-3678-b432-47a8-75afada5bd9e@freebsd.org> <20200119033843.GB54797@admin.sibptus.ru> <20200119080707.GB63055@admin.sibptus.ru> <20200119083123.GA31553@stargrave.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--HcAYCG3uE/tztfnV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Sergey Matveev wrote: > *** Victor Sudakov [2020-01-19 15:07]: > >Probably this transformation should not cause any increase in payload > >size because AFAIK a symmetric cipher does not increase the message > >size (i.e. the encrypted message is not bigger than the cleartext). >=20 > Wrong in nearly all cases. >=20 > 1) If you use *stream* symmetric cipher, then ciphertext's length is > equal to plaintext. >=20 > 2) If you use *block* symmetric cipher, then it has to be divisible by > blocksize by definition. However that depends on used blockcipher mode > of operation. For example CTR (counter) mode transforms block cipher > intro stream cipher, thus requiring no padding. In CBC mode it requires > padding, so as a rule it will be always greater up to blocksize. >=20 > 3) ESP requires most fields to be multiple of 32-bits, so even if you > use stream cipher or some kind of block cipher CTR mode, you have to pad > it to be multiple of 4-bytes because of ESP. >=20 > 4) You HAVE TO always use and enable ciphertext authentication. All > modern protocols even forbid non AEAD (authenticated encryption) > ciphermodes usage at all. For example AES-GCM is that kind of > ciphermode. And always your ciphertext will have MAC tag (ICV field in > ESP) filled. AES-GCM as I remember uses 96-bit MACs, others use 128-bit > MACs or even larger. >=20 > 5) Also ESP has IV field and most ciphers (AES-GCM, GOST ones, and so > on) requires it. It takes 8 bytes in practice. >=20 > >OTOH, there is added information is the 4 bytes of SPI and 4 bytes of > >ESP sequence number, correct? So the payload should grow 8 bytes. Is > >this enough to make the packet too large? >=20 > So minimally with some kind of modern AES-GCM you have 8 bytes of IV, > 12 bytes of MAC tag (ICV field), possible ESP 32-bit alignment padding, > 32-bits SPI and sequence numbers. Thank you, Sergey, this information was very educational. The conclusion is that even in transport mode we should observe a significant growth in size of the encrypted payload in comparison to the unencrypted one. So, how does the TCP/IP stack handle this growth? The transport layer (TCP in our case) probably does not know about this additional overhead because I observe in the packet dumps that the MSS is always the same 1460 bytes. --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --HcAYCG3uE/tztfnV Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJeJVm7AAoJEA2k8lmbXsY0I1oH/3jhFFWkhvAONQnCTaYLtXPq Sj5+pU1OZZa2gFf3AXKXPf3/nqeEg1We72fFlzTJnX2IvTGdRNaQblUy+9Ow6KUQ XGzS5hUl2AQrwqWzrSTUu42a0o/PNG4lOlvd+5b7yaZWx2CgDI65Y70d9Wkarcje 1T7xa0Kv5tPnBZ6B2PG9s75qxFz8SUR7Vb/F7L8t25+RqCAmII+fAXBfKM+z3/q5 71nt4xNS/Oy4N/KHo2V5BA8OLyPJkpZsXvXTx0kZ6Q6AjAQeWJv2Q/GfJgYfgRHO 6XEbbftTXkmIyR97io3R9P2/iB2Qhd9NDdj2hXVe+8MJZ8gx8WKTxcQj8KFS8bM= =KMve -----END PGP SIGNATURE----- --HcAYCG3uE/tztfnV--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200120074147.GA23877>