ESP
Click on the red underlined text to get to the source
... Non-repudiation and
protection from traffic analysis are not provided by ESP. The IP
Authentication Header (AH) might provide non-repudiation ...
... Atk95b]. The IP Authentication
Header may be used in conjunction with ESP to provide authentication.
Users desiring integrity ...
... should use the IP Authentication Header (AH) instead of ESP. This
document assumes that the reader is familiar with the related
document "IP Security Architecture ...
...
The IP Encapsulating Security Payload (ESP) seeks to provide
confidentiality and integrity by encrypting ...
... encrypted portion of the Encapsulating Security Payload and that
entire ESP frame is placed within a datagram having unencrypted IP
headers. The information in the unencrypted IP headers ...
...
In Transport-mode ESP, the ESP header is inserted into the IP
datagram immediately prior to the transport-layer ...
... In Transport-mode ESP, the ESP header is inserted into the IP
datagram immediately prior to the transport-layer protocol header ...
... header after the IP header
and before the ESP header in a Transport-mode ESP packet, and also as
...
... and before the ESP header in a Transport-mode ESP packet, and also as
a header within the encrypted ...
... header within the encrypted portion of a Tunnel-mode ESP packet.
When AH is present both in the cleartext IP header ...
... IP header and also inside a
Tunnel-mode ESP header of a single packet, the unencrypted IPv6
Authentication Header ...
... than other IP payloads. The first component of the ESP payload
consist of the unencrypted field(s) of the payload. The second
...
... component consists of encrypted data. The field(s) of the
unencrypted ESP header inform the intended receiver how to properly
decrypt and process the encrypted data ...
...
The concept of a "Security Association" is fundamental to ESP. It is
described in detail in the companion document "Security Architecture
for the Internet Protocol" which is incorporated here by reference
...
... and maintains a logical table containing the several parameters for
each current security association. An ESP implementation normally
needs to read that security parameter table to determine how to
...
... security parameter table to determine how to
process each datagram containing an ESP (e.g., which algorithm/mode
and key to use).
...
...
The Encapsulating Security Payload (ESP) may appear anywhere after
the IP header and before the final transport-layer ...
... Internet Assigned Numbers Authority has assigned Protocol Number 50
to ESP [STD-2]. The header immediately preceding an ESP header ...
... ESP [STD-2]. The header immediately preceding an ESP header will
always contain the value 50 in its Next Header (IPv6 ...
... IPv6) or Protocol
(IPv4) field. ESP consists of an unencrypted header followed by
encrypted data ...
... encrypted data. The encrypted data includes both the protected ESP
header fields and the protected user data, which is either an entire
IP datagram ...
... | IP Header | Other IP Headers | ESP Header | encrypted data |
+-------------+--------------------+------------+---------------------+
...
... +-------------+--------------------+------------+---------------------+
A more detailed diagram of the ESP Header follows below.
+-------------+--------------------+------------+---------------------+
...
... the Opaque Transform Data associated with them are known as
"transforms". The ESP format is designed to support new transforms
in the future to support new or additional cryptographic algorithms.
...
... might be used with IPv4) in addition to using the implicit labels
provided by ESP. Explicit label options could be defined for use
with IPv6 (e.g., using the IPv6 ...
... Header). Implementations MAY support explicit
labels in addition to implicit labels, but implementations are not
required to support explicit labels. Implementations of ESP in
systems claiming to provide multi-level security ...
...
This section describes the steps taken when ESP is in use between two
communicating parties. Multicast is different from unicast ...
... key management (See the definition of the SPI, above, for
more detail on this). There are two modes of use for ESP. The first
mode, which is called "Tunnel-mode", encapsulates ...
... Tunnel-mode", encapsulates an entire IP
datagram inside ESP. The second mode, which is called "Transport-
Mode", encapsulates ...
... UDP, TCP) frame inside
ESP. The term "Transport-mode" must not be misconstrued as
restricting its use to TCP ...
... Transport-mode" or the "Tunnel-mode"
depending upon circumstance. ESP processing occurs prior to IP
fragmentation ...
... ESP in Tunnel-mode ...
... IP datagram, encapsulates it into the
ESP, uses at least the sending userid and Destination Address as data
to locate the correct Security Association ...
... encryption key for this communications session prior to
the use of ESP. The (now encrypted) ESP is then encapsulated ...
... SPI value to locate the
correct session key to use for this packet. It then decrypts the ESP
using the session key that was just located for this packet.
...
... receiver MUST discard the
encrypted ESP and the failure MUST be recorded in the system log or
audit log. This system log or audit log entry SHOULD include the SPI
value, date/time ...
... IP datagram is then removed from
the (now decrypted) ESP. This original IP datagram is then processed
as per the normal IP protocol ...
... ICMP)
frame, encapsulates it into the ESP, uses at least the sending userid
and Destination Address to locate the appropriate Security
Association ...
... encryption. The (now encrypted)
ESP is then encapsulated as the last payload of a cleartext IP
datagram ...
... Flow ID, Routing Header).
It then decrypts the ESP using the session key that has been
established for this traffic ...
... session or the attempt to decrypt fails,
the encrypted ESP MUST be discarded and the failure MUST be recorded
in the system log or audit log. If such a failure occurs, the
recorded log data SHOULD include the SPI value ...
... ICMP) frame is removed from the (now decrypted) ESP. The information
from the cleartext IP header and the now decrypted transport-layer ...
... Encapsulating Security Payload. There are two different approaches
to using the Authentication Header with ESP, depending on which data
is to be authenticated. The location of the Authentication Header ...
... including both the encrypted and unencrypted portions, while only the
data sent after the ESP Header is confidential. In this usage, the
sender first applies ESP ...
... ESP Header is confidential. In this usage, the
sender first applies ESP to the data being protected. Then the other
plaintext IP headers ...
... plaintext IP headers are prepended to the ESP header and its now
encrypted data. Finally, the IP Authentication Header ...
... authentication succeeds, decryption using the normal IP ESP process
occurs. If decryption is successful, then the resulting data is
...
... authentication process were to be applied only to the data
protected by Tunnel-mode ESP, then the IP Authentication Header would
be placed normally within that protected datagram ...
... datagram. However, if one
were using Transport-mode ESP, then the IP Authentication Header
would be placed before the ESP header ...
... ESP, then the IP Authentication Header
would be placed before the ESP header and would be calculated across
the entire IP datagram.
...
... Authentication Header is encapsulated within a Tunnel-mode ESP
header, and both headers have specific security classification levels
...
... described previously. It is not necessarily an error for an
Authentication Header located outside of the ESP header to have a
different security classification level than the ESP header ...
... ESP header to have a
different security classification level than the ESP header's
classification level. This might be valid because the cleartext IP
headers ...
... IP
headers might have a different classification level after the data
has been encrypted using ESP.
...
... [KMS95]. Implementors MAY also implement other ESP transforms.
Implementers should consult the most recent version ...
...
Cryptographic transforms for ESP which use a block-chaining algorithm
and lack a strong integrity mechanism ...
... attack described by Bellovin and should not be used unless the
Authentication Header is always present with packets using that ESP
transform [Bel95].
...
... mechanism and its implementation, the strength of the key [CN94]
[Sch94, p233] and upon the correctness of the ESP and IP
implementations in all of the participating systems.
...
... Karn, P., Metzger, P., and W. Simpson, "The ESP DES-CBC Transform", RFC 1829prop, Qualcomm, Inc., Piermont, Daydreamer, August 1995. ...