sec_trailer_cl Structure

When a PDU header's auth_proto field is nonzero, [C706] section 12.3, and section 13.3.4, specify that the stub data of the packet is padded to the next 8-byte boundary and MUST be followed by an auth_trailer_cl_t structure. These extensions divide the auth_trailer_cl_t type into a fixed-length security header and a variable-length token following the security header. For information on the authentication token, including determination of its length, see section

For request and response PDUs, where the request and response PDUs are part of a fragmented request or where response and authentication are requested, the sec_trailer_cl structure is present in every fragment of the request or response.

 typedef struct {
   unsigned char auth_level;
   unsigned char key_vers_num;
 } sec_trailer_cl;

auth_level: This field MUST be one of the authentication levels specified in section The values serve a dual purpose. The first purpose is to specify how security has to be applied to the PDU, as specified in section The second purpose is to serve as a parameter to the security provider that it SHOULD use to determine how to provide protection for the PDU; for details on how security providers use that, see the documentation for the respective security provider. If a request or response is fragmented, all PDUs from that request or response MUST have the same auth_level.

key_vers_num: This field is a numeric identifier that identifies the security context within the activity that MUST be used for this PDU.

Immediately after the sec_trailer_cl structure, there MUST be a sequence of padding bytes followed by a BLOB carrying the authentication information produced by the security provider. This BLOB is called the authentication token.

If the auth_level is RPC_C_AUTHN_LEVEL_PKT_PRIVACY, the number of padding bytes is calculated as follows.

Number of padding bytes = MBSR4 - 2


  • MBSR4: MessageBlockSize of the security context rounded up to a multiple of 4.

See the documentation for the respective security provider for the value of the MessageBlockSize. MessageBlockSize MUST be a power of 2.

For other auth_level values, the number of padding bytes is two.