5.3.8 Packet Layout in the I/O Data Stream

The usage of Standard RDP Security mechanisms (section 5.3) results in a security header being present in all packets following the Security Exchange PDU (section 2.2.1.10) when encryption is in force. Connection sequence PDUs following the RDP Security Commencement phase of the RDP Connection Sequence (section 1.3.1.1) and slow-path packets have the same general wire format.

Figure 9: Slow-path packet layout

The Security Header essentially contains flags and a MAC signature taken over the encrypted data (section 5.3.6 for details on the MAC generation). In FIPS scenarios, the header also includes the number of padding bytes appended to the data.

Fast-path packets are more compact and formatted differently, but the essential contents of the Security Header are still present. For non-FIPS scenarios, the packet layout is as follows.

Figure 10: Non-FIPS fast-path packet layout

And in FIPS fast-path scenarios the packet layout is as follows.

Figure 11: FIPS fast-path packet layout

If no encryption is in effect, the Selected Encryption Method and Encryption Level (section 5.3.1) returned to the client is zero. The Security Header will not be included with any data sent on the wire, except for the Client Info (section 2.2.1.11) and licensing PDUs (for an example of a licensing PDU section 2.2.1.12), which always contain the Security Header.

See sections 2.2.8.1 and 2.2.9.1 for more details on slow and fast-path packet formats and the structure of the Security Header in both of these scenarios.