linux-ipsec: Re: byte order

-----BEGIN PGP SIGNED MESSAGE----- To: linux-ipsec@clinet.fi
Subject: Re: byte order
Cc:
Date: 03/30/98, 16:43:41

We should rename this to answer-the-OpenBSD-IPsec-questions@clinet.fi :-)

>I am trying to understand the byte ordering used in OpenBSD. It seems
>that the spi is stored in the tdb in network order rather than host
>order. Additionally, the xform data is stored in host order. Why the
>difference?

xform data are typically the keys etc, which involve operations that happen on the local host only. The spi and the address in the tdb on the other hand are used for comparisons with incoming packets and to set fields in outgoing packets.

>Additionally, it seems the hash is going through translation in the
>final step, while I can't really tell if the encryption is doing so.

Translation ?

>After checking and rechecking the specs to make sure I have everything
>in the right place and order, I am still coming up with packets that
>are refused in both directions because of authentication. This leads
>me to conclude that either I have the keying material wrong in byte
>ordering or the same problems in both encoding and decoding. I would
>tend to suspect the latter.

Well, seeing as the OpenBSD code works against everyone... When doing ESP, make sure you actually define some IV (even if full-zeros) in both directions at command line. If you don't, the code will use the replay counter to seed the IV, for old-style compatibility.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

>I also understand that the ipsec-0.5/6 code was able to interop in Ottawa
>last September. With what did it interop? Did the other product interop
>with anyone else?

Not that I remember. The only thing that did interop was pluto. Unless Hugh did more tests.
- -Angelso

-----BEGIN PGP SIGNATURE-----

Version: 2.6.3i
Charset: noconv
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQCVAwUBNSASDb0pBjh2h1kFAQG4mQP8D7eA3yYbNZYZXH5j8HCGq7uK6qPYo9nR yjP11u3cCYXlPxwRmMefKnWCQSy4WIwWFJq8b1Zrqk5Cjdmaybf0FJT0O4nXsfd2 hydhSjEWolmP7rpMPUuv+CVZ4skOaAN4gH4TeXktjUuJESvn3S/jw9ktcdHmRs1p +jcJVO9Qovw=
=J/ww
-----END PGP SIGNATURE----- Received on Mon Mar 30 18:13:43 1998