IPSec overhead in ESP Tunnel mode

subbarao.s · ‎10-08-2003

Hi,

I am facing a very simple problem with IPSec in ESP Tunnel mode.

My objective here is to know the precise overhead added to normal payload by IPSec in ESP tunnel mode.

As per Cisco docmentation I read some where that it is up to 57 bytes. However in reality it is taking up to 58 bytes, is it correct? or I miss something?

With the default MTU Size from end to end (I mean 1500 Bytes across the IP Sec peers), I can ping with payload of maximum 1414 bytes from windows PC(This does not include IP header and ICMP Header).

My test results are as below.

When I use payload size of 1409, total ip length in outer ip header should be

1409 data+ 8byte ICMP Header+20 bytes ip header+20 byte new ip header by ESP in tunnel mode+ 16 Byte ESP Header+2Byte ESP Trailer+12 byte ESP Authentication data

Total makes 1487 but in sniffer I found total ip length as 1488. Where is that 1 byte going?

IP length is 1488 for data payload of 1409 to 1402 bytes. I think this is due the rule that while doing Encryption payload size should be multiple of 8.

If I make pay load 1410..........Total IP lenght is becoming 1496.

From the above my assumption is IPSec In ESP Tunnel mode overhead is from 51~58 Bytes.

Is above is correct?

Thanks in advance.

Subba

gfullage · ‎10-08-2003

The difference is due to the padding field in the ESP packet, it changes size depending on the original packet size, so yes, the exact additional number of bytes is not always the same.

A couple of examples (ESP tunnel mode):

1500 byte packet becomes 1552 bytes:

20 bytes IPsec header (tunnel mode)

4 bytes SPI (ESP header)

4 bytes Sequence (ESP Header)

8 byte IV (IOS ESP-DES/3DES)

2 byte pad (ESP-DES/3DES 64 bit)

1 byte Pad length (ESP Trailer)

1 byte Next Header (ESP Trailer)

12 bytes ESP MD5 96 digest

800 byte packet becomes 856 bytes:

20 bytes IPsec header (tunnel mode)

4 bytes SPI (ESP header)

4 bytes Sequence (ESP Header)

8 byte IV (IOS ESP-DES/3DES)

6 byte pad (ESP-DES/3DES 64 bit)

1 byte Pad length (ESP Trailer)

1 byte Next Header (ESP Trailer)

12 bytes ESP MD5 96 digest

So you can see there that one packet gets an additional 56 bytes, whereas a different size packet gets only 52 added. The least that can get added is 50 bytes with 0 byte pad as shown here:

790 byte packet becomes 840 bytes:

20 bytes IPsec header (tunnel mode)

4 bytes SPI (ESP header)

4 bytes Sequence (ESP Header)

8 byte IV (IOS ESP-DES/3DES)

0 byte pad (ESP-DES/3DES 64 bit)

1 byte Pad length (ESP Trailer)

1 byte Next Header (ESP Trailer)

12 bytes ESP MD5 96 digest

and then the most that can be added is 57 bytes with a 7 byte pad as seen here:

799 byte packet becomes 856 bytes:

20 bytes IPsec header (tunnel mode)

4 bytes SPI (ESP header)

4 bytes Sequence (ESP Header)

8 byte IV (IOS ESP-DES/3DES)

7 byte pad (ESP-DES/3DES 64 bit)

1 byte Pad length (ESP Trailer)

1 byte Next Header (ESP Trailer)

12 bytes ESP MD5 96 digest

subbarao.s · ‎10-08-2003

Glenn,

Thanks for your reply. Here under I am giving my my test results.

MTU size across peers is 1500 Bytes. I can get reply from data payload of 1442 or less. 1443bytes does not work.

First feild is original packet size (Data+ICMP Header+IP header). second is the "Total IP Length" in Outer header (IP header made by IPsec in Tunnel mode). Third field is ethernet frame size.

1442 1496 1514

1441 1496 1514

1440 1496 1514

1439 1496 1514

1438 1496 1514

1437 1488 1506

1436 1488 1506

1435 1488 1506

1434 1488 1506

1433 1488 1506

1432 1488 1506

1431 1488 1506

1430 1488 1506

1429 1480 1498

1428 1480 1498

From the above my understanding is overhead by IPsce in Tunnel mode minimum of 51 bytes and maximum of 58 bytes.

But as per your analysis it is minimum of 50 bytes and maximum of 57 bytes.

Where am I missing that 1 byte?

One more thing is why I am unable to ping with a packet size of 1443? From above figures 1442 packet is getting a padding of 3 bytes, so 1443 should get 2 bytes padding and should get through right? But it is not happening. Any idea?

Thanks.

碧云天 · ‎07-15-2021

Ethernet Header Size = 14 bytes.

With sniffer and Cisco IOS router‘s extend ping and ，I have the followings

Datagram size Ethernet frame size
1442 1510
1441 1510
1440 1510
1439 1510
1438 1502
1437 1502
1436 1502
1435 1502
1434 1502
1433 1502
1432 1502
1431 1502
1430 1494
1429 1494
1428 1494
1427 1494
1426 1494
1425 1494
1424 1494
1423 1494
1422 1486

碧云天 · ‎07-15-2021

1442byte +20 byte new ip header by ESP in tunnel mode+ 16 Byte ESP Header+2Byte ESP Trailer+xByte pad+12 byte ESP Authentication data=1492+x Byte.

(1492+x)%8 == 0,1492%8=4,so the min x is 4,1492+4+14=1510 is the Ethernet frame size.

1438byte +20 byte new ip header by ESP in tunnel mode+ 16 Byte ESP Header+2Byte ESP Trailer+xByte pad+12 byte ESP Authentication data=1488+x Byte.

(1488+x)%8 == 0,1488%8=0,so the min x is 0,1488+14=1502 is the Ethernet frame size.

Ronie Meireles · ‎01-03-2015

Masters from 11 years ago,

Thank youuu veeery muuch!

:-)

Jay Young · ‎10-21-2015

Ronie,

You might also find this tool helpful. It allows you to select different combinations of ciphers, hashes, GRE, tunnel or transport mode.

http://www.cisco.com/c/en/us/support/web/redirects/ipsec-overhead-calc.html

-Jay

Jonathan Cuthbert · ‎03-26-2023

https://cway.cisco.com/ipsec-overhead-calculator/

Updated link.

matchsp · ‎06-14-2023

Hi,

does exist any alternative tool to the ipsec-overhead-calculator?

ppatel2 · ‎12-06-2010

http://en.wikipedia.org/wiki/IPsec

Padding should be considered.