IPSec transport mode, mtu, fragmentation...

Victor Sudakov vas at sibptus.ru
Mon Jan 20 07:41:51 UTC 2020 

Sergey Matveev wrote:
> *** Victor Sudakov [2020-01-19 15:07]:
> >Probably this transformation should not cause any increase in payload
> >size because AFAIK a symmetric cipher does not increase the message
> >size (i.e. the encrypted message is not bigger than the cleartext).
> 
> Wrong in nearly all cases.
> 
> 1) If you use *stream* symmetric cipher, then ciphertext's length is
> equal to plaintext.
> 
> 2) If you use *block* symmetric cipher, then it has to be divisible by
> blocksize by definition. However that depends on used blockcipher mode
> of operation. For example CTR (counter) mode transforms block cipher
> intro stream cipher, thus requiring no padding. In CBC mode it requires
> padding, so as a rule it will be always greater up to blocksize.
> 
> 3) ESP requires most fields to be multiple of 32-bits, so even if you
> use stream cipher or some kind of block cipher CTR mode, you have to pad
> it to be multiple of 4-bytes because of ESP.
> 
> 4) You HAVE TO always use and enable ciphertext authentication. All
> modern protocols even forbid non AEAD (authenticated encryption)
> ciphermodes usage at all. For example AES-GCM is that kind of
> ciphermode. And always your ciphertext will have MAC tag (ICV field in
> ESP) filled. AES-GCM as I remember uses 96-bit MACs, others use 128-bit
> MACs or even larger.
> 
> 5) Also ESP has IV field and most ciphers (AES-GCM, GOST ones, and so
> on) requires it. It takes 8 bytes in practice.
> 
> >OTOH, there is added information is the 4 bytes of SPI and 4 bytes of
> >ESP sequence number, correct? So the payload should grow 8 bytes. Is
> >this enough to make the packet too large?
> 
> So minimally with some kind of modern AES-GCM you have 8 bytes of IV,
> 12 bytes of MAC tag (ICV field), possible ESP 32-bit alignment padding,
> 32-bits SPI and sequence numbers.

Thank you, Sergey, this information was very educational. The conclusion
is that even in transport mode we should observe a significant growth in
size of the encrypted payload in comparison to the unencrypted one.

So, how does the TCP/IP stack handle this growth? The transport layer
(TCP in our case) probably does not know about this additional overhead
because I observe in the packet dumps that the MSS is always the same
1460 bytes.


-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20200120/cde0d407/attachment.sig>

More information about the freebsd-net mailing list