[OpenAFS-devel] understanding rxkad

Hartmut Reuter reuter@rzg.mpg.de
Fri, 06 Oct 2006 15:25:08 +0200 

John Hascall wrote:
> Below is the first packet resulting from 'vos exam 536870918'
> as recorded by tcdump
> 
> 21:18:34.909524 IP (tos 0x0, ttl  64, id 30762, offset 0, flags [none], length:
> 72) sw-cs-4.its.iastate.edu.57716 > sw-db-1.its.iastate.edu.afs3-volser: [udp su
> m ok]  rx data cid 63564ddc call# 1 seq 1 ser 1 <client-init>,<last-pckt> vol ca
> ll op#-740061092 (44)
>         0x0000:  4500 0048 782a 0000 4011 db69 81ba 91d1  E..Hx*..@..i....
>         0x0010:  81ba 91cb e174 1b5d 0034 555a 785f dd1a  .....t.].4UZx_..
>         0x0020:  6356 4ddc 0000 0001 0000 0001 0000 0001  cVM.............
>         0x0030:  0105 0002 d3c6 0004 d3e3 905c 0e72 180e  ...........\.r..
>         0x0040:  0000 0000 2000 0006
> 
> Ok, ignoring the first 28 bytes (20 IP, 8 UDP),
> we have:
>    H    785f dd1a       Epoch
>    e    6356 4ddc       Conn-ID(chan-ID=00)
>    a    0000 0001       Call 1
>    d    0000 0001       Sequence 1 
>    e    0000 0001       Serial 1
>    r    0105 0002       Type(1=data) Flags<client,last> Status=0, Security=2
>         d3c6 0004       Checksum Service-ID
> 
>   PL    d3e3 905c       (encrypted XListOneVolume?)
>   ao    0e72 180e
>   ya    0000 0000       (partition 0)
>    d    2000 0006       (536870918, volume-id)
> 
> What I'm not understanding are the first 8 bytes of payload.
> If this command is executed with '-noauth' they are replaced
> with 4 bytes (0000 007d) aka XListOneVolume.
> 
> Why would just those bytes be encrypted?  Are they encrypted?
> Or is it some encoding I just don't understand?  How does the
> receiving end know that just those bytes are encrypted?  Etc?
> And with what key (since the two packets that follow are
> challenge, response) [then the reply and ackall].


rxkad is sort of stateless: The client starts sending encrypted data (in 
this case only the command). When the server has no security data for 
this connection he replies with the challange packet which then by the 
client is replied by the challange response packet which contains the 
security data. These are decrypted with the KeyFile on the server and 
allow then the server to extract the session key to decrypt the 1st packet.

The advantage is that a server restart between RPCs doesn't really 
matter because both sides resynchronize their security data automatically.

If you would have called the vos command with -encrypt then probably 
also the whole payload would have been encrypted.

Hartmut
> 
> 
> Thanks,
> John
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel


-- 
-----------------------------------------------------------------
Hartmut Reuter                           e-mail reuter@rzg.mpg.de
					   phone +49-89-3299-1328
RZG (Rechenzentrum Garching)               fax   +49-89-3299-1301
Computing Center of the Max-Planck-Gesellschaft (MPG) and the
Institut fuer Plasmaphysik (IPP)
-----------------------------------------------------------------