A quick refresh of the IKEv2 establishment can be summarised in the following figure:
For a brief explanation of the used notation, please check my previous blogpost.
Of a special interest for the IKEv2 Establishment is the Encrypted Payload (also known as Encrypted and Authenticated Payload). This payload looks like this when captured by Wireshark
So, in one of my previous blog posts I had a question how this payload is constructed. It is a very good one, because although explained in RFC 7296, it is not that easy to figure this out (I had also several thorough looks to understand it). So. here you go.
In a nutshell, the Encrypted payload is constructed as follows:
where SK header is the header of the Encrypted payload, IV is the Initialisation Vector, int. hash is the integrity hash.
A snippet Python code would be as follows:
padlen = block_size - (len(plain) % block_size) - 1
plain += b'\x00' * padlen + bytes([padlen])
ciphertext=crypto.encrypt(sk_ei, bytes(iv), plain)
encrypted = iv + ciphertext
encrypted = encrypted + b'\x00' *hash_size
The key sk_ei is calculated as described here.
I hope this clarifies a few things.
I am planning to release a white paper on the IKEv2 attack surface soon, accompanied by the release of an open source tool to perform the described on the paper tests.
So, stay tuned ;-)