• Ping packet in the clear
• Ping packet in tunnel mode
• Ping packet in transport mode
• Ping packet in trunk mode

The purpose of this document is to look at how IP packets are modified by the encryption process. A test network was setup as per the diagram below and traces taken using Sniffer Pro. A ping was sent from 192.168.0.2 to 192.168.1.2.

Click on picture thumbnails to view diagrams

Ping packet in the clear

The first trace was taken on the host side of Datacryptor® A - it shows the ping packet in the clear before any encryption has taken place.:

- - - - - - - - - - - - - - - - - - - - Frame 1 - - - - - - - - - - - - - - - - - - - -
\"Flags \",\"Frame \",\"Delta Time \",\"Destination \",\"Source \",\"Bytes\",
\"Protocol \",\"Summary\"" M "," 1","0.000.000 ","[192.168.1.2] ","[192.168.0.2] "," 74 ","ICMP"," Echo"
DLC: ----- DLC Header -----
DLC:
DLC: Frame 1 arrived at 11:00:23.7462; frame size is 74 (004A hex) bytes.
DLC: Destination = Station Racal 8091D9
DLC: Source = Station 00095B07ACFF
DLC: Ethertype = 0800 (IP)
DLC:
IP: ----- IP Header -----
IP:
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = ECT bit - transport protocol will ignore the CE bit
IP: .... ...0 = CE bit - no congestion
IP: Total length = 60 bytes
IP: Identification = 38232
IP: Flags = 0X
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 128 seconds/hops
IP: Protocol = 1 (ICMP)
IP: Header checksum = 2314 (correct)
IP: Source address = [192.168.0.2]
IP: Destination address = [192.168.1.2]
IP: No options
IP:
ICMP: ----- ICMP header -----
ICMP:
ICMP: Type = 8 (Echo)
ICMP: Code = 0
ICMP: Checksum = 7756 (correct)
ICMP: Identifier = 512
ICMP: Sequence number = 54277
ICMP: [32 bytes of data]
ICMP:
ICMP: [Normal end of "ICMP header".]
ICMP:
ADDR HEX ASCII
0000: 00 d0 fa 80 91 d9 00 09 5b 07 ac ff 08 00 45 00 | .Ðú€‘Ù..[.¬ÿ..E.
0010: 00 3c 95 58 00 00 80 01 23 14 c0 a8 00 02 c0 a8 | .<•X..€.#.À¨..À¨
0020: 01 02 08 00 77 56 02 00 d4 05 61 62 63 64 65 66 | ....wV..Ô.abcdef
0030: 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 | ghijklmnopqrstuv
0040: 77 61 62 63 64 65 66 67 68 69 | wabcdefghi

As can be seen the packet is 74 bytes in length (14 bytes DLC header, 20 bytes IP header, 8 ICMP header and 32 bytes of data). Note that in the data portion at the bottom the data portion (the string of alphabetical letters abcdefgh etc.) can be seen in the clear. This is the data payload that will be encrypted by the Datacryptor®.

Ping packet in tunnel mode

An SA was configured between Datacryptor® A and Datacryptor® B in tunnel mode and a trace taken on the network side of Datacryptor® A.

- - - - - - - - - - - - - - - - - - - - Frame 1 - - - - - - - - - - - - - - - - - - - -
\"Flags \",\"Frame \",\"Delta Time \",\"Destination \",\"Source \",\"Bytes\",\"Protocol \",\"Summary\"
" M "," 1","0.000.000 ","[172.16.1.2] ","[172.16.0.2] "," 112 ","IP"," ESP SPI=1022"
DLC: ----- DLC Header -----
DLC:
DLC: Frame 1 arrived at 11:06:20.3717; frame size is 112 (0070 hex) bytes.
DLC: Destination = Station Cisco D583E0
DLC: Source = Station Racal C091D9
DLC: Ethertype = 0800 (IP)
DLC:
IP: ----- IP Header -----
IP:
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = ECT bit - transport protocol will ignore the CE bit
IP: .... ...0 = CE bit - no congestion
IP: Total length = 98 bytes
IP: Identification = 0
IP: Flags = 0X
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 128 seconds/hops
IP: Protocol = 50 (SIPP-ESP)
IP: Header checksum = E145 (correct)
IP: Source address = [172.16.0.2]
IP: Destination address = [172.16.1.2]
IP: No options
IP:
ESP: ----- IP ESP -----
ESP:
ESP: Security Parameters Index = 1022
ESP: Sequence Number = 276
ESP: Payload Data = ABD30E14D0D2E8D7D9DE4C950949B2647B4B59462703E1FA75568BC11C783A189
E2F742AEA002C2F0DB9EE8FC3ABBF6EED...
ADDR HEX ASCII
0000: 00 03 6b d5 83 e0 00 d0 fa c0 91 d9 08 00 45 00 | ..kÕƒà.ÐúÀ‘Ù..E.
0010: 00 62 00 00 00 00 80 32 e1 45 ac 10 00 02 ac 10 | .b....€2áE¬...¬.
0020: 01 02 00 00 03 fe 00 00 01 14 ab d3 0e 14 d0 d2 | .....þ....«Ó..ÐÒ
0030: e8 d7 d9 de 4c 95 09 49 b2 64 7b 4b 59 46 27 03 | è×ÙÞL•.I²d{KYF'.
0040: e1 fa 75 56 8b c1 1c 78 3a 18 9e 2f 74 2a ea 00 | áúuV‹Á.x:.ž/t*ê.
0050: 2c 2f 0d b9 ee 8f c3 ab bf 6e ed 93 f2 77 b0 a0 | ,/.¹îÃ«¿ní“òw°
0060: dc ad 94 8a 64 6a b8 e4 8e ec 08 c0 05 67 a6 f0 | Ü­”Šdj¸äŽì.À.g¦ð

This is the original ping packet after it has been encrypted in tunnel mode. The packet length is now 112 bytes (an additional 38 bytes) - 14 bytes of DLC header, 20 bytes of IP header and 78 bytes of ESP (Encapsulating Security Payload) data. The ESP data is the ICMP header and the data portion of the original packet in encrypted form. As can be seen, the data payload is now unreadable as is the ICMP header. Also note that the IP protocol type in the IP header has changed from type 1 (ICMP) to type 50 (SIPP/ESP).

Ping packet in transport mode

The SA between Datacryptor® A and Datacryptor® B was changed from tunnel mode to transport mode and a trace taken on the network side of Datacryptor® A.

- - - - - - - - - - - - - - - - - - - - Frame 1 - - - - - - - - - - - - - - - - - - - -
\"Flags \",\"Frame \",\"Delta Time \",\"Destination \",\"Source \",\"Bytes\",\"Protocol \",\"Summary\"
" M "," 1","0.000.000 ","[192.168.1.2] ","[192.168.0.2] "," 92 ","IP"," ESP SPI=1022"
DLC: ----- DLC Header -----
DLC:
DLC: Frame 1 arrived at 11:15:44.4187; frame size is 92 (005C hex) bytes.
DLC: Destination = Station Cisco D583E0
DLC: Source = Station Racal C091D9
DLC: Ethertype = 0800 (IP)
DLC:
IP: ----- IP Header -----
IP:
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = ECT bit - transport protocol will ignore the CE bit
IP: .... ...0 = CE bit - no congestion
IP: Total length = 78 bytes
IP: Identification = 39197
IP: Flags = 0X
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 127 seconds/hops
IP: Protocol = 50 (SIPP-ESP)
IP: Header checksum = 200C (correct)
IP: Source address = [192.168.0.2]
IP: Destination address = [192.168.1.2]
IP: No options
IP:
ESP: ----- IP ESP -----
ESP:
ESP: Security Parameters Index = 1022
ESP: Sequence Number = 18
ESP: Payload Data = 4CE6CAD6A87A9631D470FD46231A506FEA176FF297EF7D284A3E7FED9069D3F613182BAA5
447F414BBC665B5C16EF9927C...
ADDR HEX ASCII
0000: 00 03 6b d5 83 e0 00 d0 fa c0 91 d9 08 00 45 00 | ..kÕƒà.ÐúÀ‘Ù..E.
0010: 00 4e 99 1d 00 00 7f 32 20 0c c0 a8 00 02 c0 a8 | .N™...2 .À¨..À¨
0020: 01 02 00 00 03 fe 00 00 00 12 4c e6 ca d6 a8 7a | .....þ....LæÊÖ¨z
0030: 96 31 d4 70 fd 46 23 1a 50 6f ea 17 6f f2 97 ef | –1ÔpýF#.Poê.oò—ï
0040: 7d 28 4a 3e 7f ed 90 69 d3 f6 13 18 2b aa 54 47 | }(J>íiÓö..+ªTG
0050: f4 14 bb c6 65 b5 c1 6e f9 92 7c a8 | ô.»ÆeµÁnù’|¨

The packet is now 92 bytes in length - 14 bytes DLC header, 20 bytes IP header and 58 bytes ESP data. This packer is 20 bytes shorter than the tunnel packet because it no longer contains the encrypted IP header (because the IP header remains intact).

Ping packet in trunk mode

- - - - - - - - - - - - - - - - - - - - Frame 1 - - - - - - - - - - - - - - - - - - - -
\"Flags \",\"Frame \",\"Delta Time \",\"Destination \",\"Source \",\"Bytes\",\"Protocol \",\"Summary\"
" M "," 1","0.000.000 ","[192.168.1.2] ","[192.168.0.2] "," 74 ","ICMP"," Unknown"
DLC: ----- DLC Header -----
DLC:
DLC: Frame 1 arrived at 11:17:53.1498; frame size is 74 (004A hex) bytes.
DLC: Destination = Station Cisco D583E0
DLC: Source = Station Racal C091D9
DLC: Ethertype = 0800 (IP)
DLC:
IP: ----- IP Header -----
IP:
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: .... ..0. = ECT bit - transport protocol will ignore the CE bit
IP: .... ...0 = CE bit - no congestion
IP: Total length = 60 bytes
IP: Identification = 39497
IP: Flags = 0X
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 127 seconds/hops
IP: Protocol = 1 (ICMP)
IP: Header checksum = 1F23 (correct)
IP: Source address = [192.168.0.2]
IP: Destination address = [192.168.1.2]
IP: No options
IP:
ICMP: ----- ICMP header -----
ICMP:
ICMP: Type = 100 (Unknown)
ICMP: Code = 48
ICMP: Checksum = 1274 (should be 800C)
ICMP: [Normal end of "ICMP header".]
DLC: --- Frame too short
ADDR HEX ASCII
0000: 00 03 6b d5 83 e0 00 d0 fa c0 91 d9 08 00 45 00 | ..kÕƒà.ÐúÀ‘Ù..E.
0010: 00 3c 9a 49 00 00 7f 01 1f 23 c0 a8 00 02 c0 a8 | .<šI....#À¨..À¨
0020: 01 02 64 30 12 74 79 ac 78 3d c4 3d 74 b9 8e bf | ..d0.ty¬x=Ä=t¹Ž¿
0030: 58 b0 fd 00 a5 b3 8d 92 5c 80 dd fc c7 0e cb b9 | X°ý.¥³’\€ÝüÇ.˹
0040: 0d db ca 8a ee 3a 3c 73 08 d1 | .ÛÊŠî:<s.Ñ

Now the overall packet length is 74 bytes (the same as the original ping packet).