Next: , Previous: , Up: Security   [Contents][Index]


6.3.2 Encryption of network packets

A data packet can only be sent if the encryption key is known to both parties, and the connection is activated. If the encryption key is not known, a request is sent to the destination using the meta connection to retrieve it. The packet is stored in a queue while waiting for the key to arrive.

The UDP packet containing the network packet from the VPN has the following layout:

... | IP header | UDP header | seqno | VPN packet | MAC | UDP trailer
                             \___________________/\_____/
                                       |             |
                                       V             +---> digest algorithm
                         Encrypted with symmetric cipher

So, the entire VPN packet is encrypted using a symmetric cipher, including a 32 bits sequence number that is added in front of the actual VPN packet, to act as a unique IV for each packet and to prevent replay attacks. A message authentication code is added to the UDP packet to prevent alteration of packets. By default the first 4 bytes of the digest are used for this, but this can be changed using the MACLength configuration variable.