[OpenAFS-devel] understanding rxkad
John Hascall
john@iastate.edu
Fri, 06 Oct 2006 07:42:53 CDT
Below is the first packet resulting from 'vos exam 536870918'
as recorded by tcdump
21:18:34.909524 IP (tos 0x0, ttl 64, id 30762, offset 0, flags [none], length:
72) sw-cs-4.its.iastate.edu.57716 > sw-db-1.its.iastate.edu.afs3-volser: [udp su
m ok] rx data cid 63564ddc call# 1 seq 1 ser 1 <client-init>,<last-pckt> vol ca
ll op#-740061092 (44)
0x0000: 4500 0048 782a 0000 4011 db69 81ba 91d1 E..Hx*..@..i....
0x0010: 81ba 91cb e174 1b5d 0034 555a 785f dd1a .....t.].4UZx_..
0x0020: 6356 4ddc 0000 0001 0000 0001 0000 0001 cVM.............
0x0030: 0105 0002 d3c6 0004 d3e3 905c 0e72 180e ...........\.r..
0x0040: 0000 0000 2000 0006
Ok, ignoring the first 28 bytes (20 IP, 8 UDP),
we have:
H 785f dd1a Epoch
e 6356 4ddc Conn-ID(chan-ID=00)
a 0000 0001 Call 1
d 0000 0001 Sequence 1
e 0000 0001 Serial 1
r 0105 0002 Type(1=data) Flags<client,last> Status=0, Security=2
d3c6 0004 Checksum Service-ID
PL d3e3 905c (encrypted XListOneVolume?)
ao 0e72 180e
ya 0000 0000 (partition 0)
d 2000 0006 (536870918, volume-id)
What I'm not understanding are the first 8 bytes of payload.
If this command is executed with '-noauth' they are replaced
with 4 bytes (0000 007d) aka XListOneVolume.
Why would just those bytes be encrypted? Are they encrypted?
Or is it some encoding I just don't understand? How does the
receiving end know that just those bytes are encrypted? Etc?
And with what key (since the two packets that follow are
challenge, response) [then the reply and ackall].
Thanks,
John