IPSec overhead in ESP Tunnel mode

Unanswered Question
Oct 8th, 2003

Hi,

I am facing a very simple problem with IPSec in ESP Tunnel mode.

My objective here is to know the precise overhead added to normal payload by IPSec in ESP tunnel mode.

As per Cisco docmentation I read some where that it is up to 57 bytes. However in reality it is taking up to 58 bytes, is it correct? or I miss something?

With the default MTU Size from end to end (I mean 1500 Bytes across the IP Sec peers), I can ping with payload of maximum 1414 bytes from windows PC(This does not include IP header and ICMP Header).

My test results are as below.

When I use payload size of 1409, total ip length in outer ip header should be

1409 data+ 8byte ICMP Header+20 bytes ip header+20 byte new ip header by ESP in tunnel mode+ 16 Byte ESP Header+2Byte ESP Trailer+12 byte ESP Authentication data

Total makes 1487 but in sniffer I found total ip length as 1488. Where is that 1 byte going?

IP length is 1488 for data payload of 1409 to 1402 bytes. I think this is due the rule that while doing Encryption payload size should be multiple of 8.

If I make pay load 1410..........Total IP lenght is becoming 1496.

From the above my assumption is IPSec In ESP Tunnel mode overhead is from 51~58 Bytes.

Is above is correct?

Thanks in advance.

Subba

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
gfullage Wed, 10/08/2003 - 21:57

The difference is due to the padding field in the ESP packet, it changes size depending on the original packet size, so yes, the exact additional number of bytes is not always the same.

A couple of examples (ESP tunnel mode):

1500 byte packet becomes 1552 bytes:

20 bytes IPsec header (tunnel mode)

4 bytes SPI (ESP header)

4 bytes Sequence (ESP Header)

8 byte IV (IOS ESP-DES/3DES)

2 byte pad (ESP-DES/3DES 64 bit)

1 byte Pad length (ESP Trailer)

1 byte Next Header (ESP Trailer)

12 bytes ESP MD5 96 digest

800 byte packet becomes 856 bytes:

20 bytes IPsec header (tunnel mode)

4 bytes SPI (ESP header)

4 bytes Sequence (ESP Header)

8 byte IV (IOS ESP-DES/3DES)

6 byte pad (ESP-DES/3DES 64 bit)

1 byte Pad length (ESP Trailer)

1 byte Next Header (ESP Trailer)

12 bytes ESP MD5 96 digest

So you can see there that one packet gets an additional 56 bytes, whereas a different size packet gets only 52 added. The least that can get added is 50 bytes with 0 byte pad as shown here:

790 byte packet becomes 840 bytes:

20 bytes IPsec header (tunnel mode)

4 bytes SPI (ESP header)

4 bytes Sequence (ESP Header)

8 byte IV (IOS ESP-DES/3DES)

0 byte pad (ESP-DES/3DES 64 bit)

1 byte Pad length (ESP Trailer)

1 byte Next Header (ESP Trailer)

12 bytes ESP MD5 96 digest

and then the most that can be added is 57 bytes with a 7 byte pad as seen here:

799 byte packet becomes 856 bytes:

20 bytes IPsec header (tunnel mode)

4 bytes SPI (ESP header)

4 bytes Sequence (ESP Header)

8 byte IV (IOS ESP-DES/3DES)

7 byte pad (ESP-DES/3DES 64 bit)

1 byte Pad length (ESP Trailer)

1 byte Next Header (ESP Trailer)

12 bytes ESP MD5 96 digest

subbarao.s Wed, 10/08/2003 - 22:46

Glenn,

Thanks for your reply. Here under I am giving my my test results.

MTU size across peers is 1500 Bytes. I can get reply from data payload of 1442 or less. 1443bytes does not work.

First feild is original packet size (Data+ICMP Header+IP header). second is the "Total IP Length" in Outer header (IP header made by IPsec in Tunnel mode). Third field is ethernet frame size.

1442 1496 1514

1441 1496 1514

1440 1496 1514

1439 1496 1514

1438 1496 1514

1437 1488 1506

1436 1488 1506

1435 1488 1506

1434 1488 1506

1433 1488 1506

1432 1488 1506

1431 1488 1506

1430 1488 1506

1429 1480 1498

1428 1480 1498

From the above my understanding is overhead by IPsce in Tunnel mode minimum of 51 bytes and maximum of 58 bytes.

But as per your analysis it is minimum of 50 bytes and maximum of 57 bytes.

Where am I missing that 1 byte?

One more thing is why I am unable to ping with a packet size of 1443? From above figures 1442 packet is getting a padding of 3 bytes, so 1443 should get 2 bytes padding and should get through right? But it is not happening. Any idea?

Thanks.

Actions

Login or Register to take actions

This Discussion

Posted October 8, 2003 at 4:38 PM
Stats:
Replies:4 Avg. Rating:5
Views:18893 Votes:0
Shares:0
Tags: No tags.
 

Discussions Leaderboard