Re: ipsec internal

From: Dan McDonald (danmcd_at_Eng.Sun.COM)
Date: 12/22/04 

Date: Wed, 22 Dec 2004 02:54:34 +0000 (UTC)

In article <1103676410.195191.185370@z14g2000cwz.googlegroups.com>,
 <matthias@blankenhaus.com> wrote:
>Hi Dan !

Hello.

>So bottom line the streams stack looks like this, right ?
>
>TCP
>AUTH_MD5
>IPSECAH (e.g.)
>IP

No.

It's more like (and make sure you're monospaced for this... ;):

                                      AUTH_MD5
        TCP IPSECAH
        IP <---side-shuffles to----> IP

For example. In S9, there are stacks like the one on the right for every
algorithm. A better way to visualize it would be an inverse tree-like
structure, with IP at the bottom, and a choice of AH, ESP, TCP, UDP, and
above AH or ESP choices of ciphers or hashes. (An x-kernel protocol graph,
kinda, for anyone who played with the x-kernel.)

It's not clear what you're looking for - the data? Or the post-IPsec-munged
whole packet?

>.. because then I still would not get the decrypted data, or why not ?

Yep, you won't get the decrypted data by merely opening an IP stream.

>> You're not going to easily do what you wish. You may wish to try a
>version
>> of Ethereal that consults the SADB and decrypts/authenticates the
>sniffed
>> copy of the packet.
>Could you please elaborate a bit on this one ?

Ethereal is a packet-sniffer (user-land). If you're on the machine that has
the IPsec keying material, you can process the encrypted packet inside an
extension to Ethereal (it _may_ already have the capacity to do this). 

--
Daniel L. McDonald  -  Solaris Networking & Security Engineering
Mail: danmcd@east.sun.com        |  * MY OPINIONS ARE NOT NECESSARILY SUN'S! *
1 Network Drive  Burlington, MA  |"rising falling at force ten
http://blogs.sun.com/danmcd/     | we twist the world and ride the wind" - Rush