IP datagram
Click on the red underlined text to get to the source
... ESP is a mechanism for providing integrity and confidentiality to IP
datagrams. It may also provide authentication, depending on which
algorithm ...
... UDP, ICMP, IGMP) or an entire IP
datagram. Encapsulating the protected data is necessary to provide
confidentiality for the entire original datagram ...
... the encryption and decryption required for each IP datagram
containing an Encapsulating Security Payload.
...
... In Tunnel-mode ESP, the original IP datagram is placed in the
encrypted portion of the Encapsulating Security Payload ...
... Transport-mode ESP, the ESP header is inserted into the IP
datagram immediately prior to the transport-layer protocol header
...
... ESP
header fields and the protected user data, which is either an entire
IP datagram or an upper-layer protocol frame (e.g., TCP ...
... UDP). A
high-level diagram of a secure IP datagram follows.
|<-- Unencrypted -->|<---- Encrypted ...
...
The encrypted IP datagram need not and does not normally contain any
explicit Security Label because the SPI ...
... mode, which is called "Tunnel-mode", encapsulates an entire IP
datagram inside ESP. The second mode, which is called "Transport-
...
... headers (e.g., Authentication Header, if present in cleartext) and
immediately precedes an tunnelled IP datagram.
The sender ...
... ESP is then encapsulated in a
cleartext IP datagram as the last payload. If strict red/black
separation is being enforced, then the addressing ...
...
If decryption succeeds, the original IP datagram is then removed from
the (now decrypted) ESP ...
... removed from
the (now decrypted) ESP. This original IP datagram is then processed
as per the normal IP protocol specification. In the case of system
...
... would be placed before the ESP header and would be calculated across
the entire IP datagram.
If the Authentication Header ...