The easiest way would be to assign the first few bits of the SPI to indicate the SPI size; for example, all 8 bit SPIs might be allocated to have the first two bits being 11; all 16 bit SPIs might have those two bits being 10; etc. That way, an examination of the first few bits of the SPI would unambiguously give you the SPI size.
Obviously, this doesn’t apply to a ‘0 byte SPI’. I have no idea how that is intended to be processed; does that mean that the decrypter is expected to just try to decrypt the packet with all the SAs he has and see which one worked? From: IPsec <ipsec-boun...@ietf.org> On Behalf Of Daniel Migault Sent: Tuesday, May 24, 2022 4:48 PM To: Robert Moskowitz <rgm-...@htt-consult.com> Cc: Paul Wouters <paul.wouters=40aiven...@dmarc.ietf.org>; IPsecME WG <ipsec@ietf.org> Subject: Re: [IPsec] diet-esp - How do you know? The issue only comes when a gateway wants to support all sizes of SPIs 0 - 1 - 2 - 3 - 4 bytes - which is very unlikely. For a deterministic lookup, I would suggest using IP addresses and the minimum allowed byted compressed SPI. If you use 2 - 3 bytes, the likelihood of collision might still be very low to support an additional signature check. Yours, Daniel On Tue, May 24, 2022 at 4:30 PM Robert Moskowitz <rgm-...@htt-consult.com<mailto:rgm-...@htt-consult.com>> wrote: That is the 'easy' part. What does the code do when it receives an ESP packet? How do it know that it is a diet-esp packet and apply the rules? Next Header just says: ESP. On 5/24/22 16:23, Daniel Migault wrote: This is correct. IKEv2 is used both to agree on the use of Diet-ESP as well as values to be used for the compression/decompression. Yours, Daniel On Tue, May 24, 2022 at 11:14 AM Paul Wouters <paul.wouters=40aiven...@dmarc.ietf.org<mailto:40aiven...@dmarc.ietf.org>> wrote: On Sun, May 22, 2022 at 9:20 PM Robert Moskowitz <rgm-...@htt-consult.com<mailto:rgm-...@htt-consult.com>> wrote: I think there is something else I am missing here. How does the receiving system 'know' that the packet is a diet-esp packet? https://datatracker.ietf.org/doc/html/draft-mglt-ipsecme-ikev2-diet-esp-extension-02 It's negotiated with IKEv2. I guess the IKE stack has to signal this to the ESP implementation on what to expect when the policy is installed ? Paul _______________________________________________ IPsec mailing list IPsec@ietf.org<mailto:IPsec@ietf.org> https://www.ietf.org/mailman/listinfo/ipsec -- Daniel Migault Ericsson _______________________________________________ IPsec mailing list IPsec@ietf.org<mailto:IPsec@ietf.org> https://www.ietf.org/mailman/listinfo/ipsec -- Daniel Migault Ericsson
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec