Cryptography Reference
In-Depth Information
2.
Payload length
: This 8-bit field contains the length of the AH contents.
3.
Reserved
: This 16-bit field is reserved for future use.
4.
Security parameters index
: This 32-bit field identifies the SA for this
packet by specifyinga set of security parameters for use herein.
5.
Sequence number
: This 32-bit field supplies a monotonically increasing
counter value for each packet sent with a given SPI, used to track the
order of packets. Moreover, the counter establishes protection against
replay attacks. The means by which this is achieved is as follows.
When a new SA is created, the sender initializes the sequence to zero,
and each time a packet is sent usingthis SA, the sender increments the
counter and the result is put into the sequence number field. Since the
default mechanism is enabling
antireplay
, the sender must ensure that the
counter has an upper bound of
B
=2
32
1, beyond which it is forbidden
to increment (since otherwise, there will be more than one packet with
the same sequence number given that 2
32
cycles back to zero). Once
B
is
reached, a new SA with a new key is negotiated. On the other hand, the
receiver ensures that a window, called the
antireplay window
, is created for
received packets, checked via a MAC, which discards unauthorized ones.
Moreover, in the instance of a discarded packet, the receiver SHOULD be
capable of sendinga messae with reasons for the droppingof the packet
alongwith date, time, and sequence number of the packet. (See pae
311 where details on the antireplay window and associated notions are
detailed.)
−
6.
Authentication data
: This variable length (modulo 32, which might
necessitate padding), field consists of the
Integrity Check Value
(ICV) for
this packet.
The ICV is essentially the output of a truncated MAC defined as fol-
lows. The compliant implementations are HMAC with SHA-1 or MD5,
but also AES with CBC (see [208] for a description of HMAC-MD5-96;
[209] for a description of HMAC-SHA-1-96; [224] for a description of AES-
XCBC-MAC-96; and see pages 263-264 for a reminder of our description
of HMAC in general). Whichever is used, the complete HMAC value is
calculated, then truncated usingthe authentication field default value of
96 bits.
The ICV is calculated using, (1) certain IP header fields, namely, those
whose values are predictable when they arrive at the AH SA, or those
that do not change in transit, the latter process called
immutable
; (2) the
entire contents of the AH header except for the authentication data field,
which is set to zero for calculation purposes at both origin and target;
(3) the complete upper-level protocol data, assumed to be immutable in
transit, such as an IP packet in tunnel mode (see Diagram 8.20).
Search WWH ::
Custom Search