Overview#DNC Decryption Flow detects and decrypts selected communications that are encrypted using IPsec then re-injects the unencrypted packets back into TURMOIL Stage 1.
The DNC eventing (PPF) components in TURMOIL detect all IKE/ISAKMP and ESP packets and queries KEYCARD for each unique IKE exchange session and each unique ESP session to determine if the link should be selected for processing. Selection is based on IP Address.
Decryption is attempted if either the source or the destination IP address is targeted for decryption in KEYCARD (the KEYCARD tasking action is labeled "TRANSFORM" so as not to use the term "decrypt"). If KEYCARD returns a hit for an IKE packet, then the IKE packet is sent to LONGHAUL where is is used to recover keys.
If KEYCARD returns a hit for an ESP packet, a key request is sent to LONGHAUL. The IPsec Security Parameter Index (SP1) correlate s IKE sessions with ESP sessions. A LONGHAUL response message will either return the key or indicate that a key could not be recovered. If a key is recovered, the ESP packets are decrypted and re-injected into TURMOIL for further processing.