Encapsulating Security Payload (ESP)

Posted by AJ × 00:44
v ESP is a member of the IPsec protocol suite. It is the portion of IPsec that provides origin authenticity, integrity, and confidentiality protection of packets.

v Unlike Authentication Header (AH), ESP does not protect the IP packet header. The following ESP packet diagram shows how an ESP packet is constructed and interpreted:
When an IP datagram carries an ESP header and trailer, the value of the protocol
field in the IP header is 50. A field inside the ESP trailer (the next-header field) holds the original value of the protocol field (the type of payload being carried by the IP datagram, such as TCP or UDP). The ESP procedure follows these steps:

1. An ESP trailer is added to the payload.
2. The payload and the trailer are encrypted.
3. The ESP header is added.
4. The ESP header, payload, and ESP trailer are used to create the authentication data.
5. The authentication data are added to the end of the ESP trailer.
6. The IP header is added after the protocol value is changed to 50.
The fields for the header and trailer are as follows:
§ Security parameter index. The 32-bit security parameter index field is similar to that defined for the AH Protocol.
§ Sequence number. The 32-bit sequence number field is similar to that defined for the AH Protocol.
§ Padding. This variable-length field (0 to 255 bytes) of 0s serves as padding.
§ Pad length. The 8-bit pad length field defines the number of padding bytes. The value is between 0 and 255; the maximum value is rare.
§ Next header. The 8-bit next-header field is similar to that defined in the AH
Protocol. It serves the same purpose as the protocol field in the IP header before encapsulation.
§ Authentication data. Finally, the authentication data field is the result of applying an authentication scheme to parts of the datagram. Note the difference between the authentication data in AH and ESP. In AH, part of the IP header is included in the calculation of the authentication data; in ESP, it is not.

ESP provides source authentication, data integrity, and privacy.
Tags:
« Previous × Next »

Related Posts

0 comments