Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
IPsec
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===Encapsulating Security Payload=== [[File:Ipsec-esp-tunnel-and-transport.svg|thumb|Usage of IPsec Encapsulating Security Payload (ESP) in Tunnel and Transport modes]] The IP Encapsulating Security Payload (ESP)<ref>{{cite web | url = http://www.toad.com/gnu/draft-ietf-sip-esp-00.txt | title = SIPP Encapsulating Security Payload | publisher = IETF SIPP Working Group | year = 1993 | access-date = 2013-08-07 | archive-url = https://web.archive.org/web/20160909031941/http://www.toad.com/gnu/draft-ietf-sip-esp-00.txt | archive-date = 2016-09-09 | url-status = dead }}</ref> was developed at the [[Naval Research Laboratory]] starting in 1992 as part of a [[DARPA]]-sponsored research project, and was openly published by [[IETF]] SIPP<ref>{{cite web | url = http://tools.ietf.org/html/draft-ietf-sipp-spec-00 | title = Draft SIPP Specification | publisher = IETF | year = 1993 | page = 21| last1 = Deering | first1 = Steve E. }}</ref> Working Group drafted in December 1993 as a security extension for SIPP. This [[#Encapsulating Security Payload|ESP]] was originally derived from the US Department of Defense [[SP3D]] protocol, rather than being derived from the ISO Network-Layer Security Protocol (NLSP). The SP3D protocol specification was published by [[NIST]] in the late 1980s, but designed by the Secure Data Network System project of the [[US Department of Defense]]. Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. It provides origin [[Information security#Authenticity|authenticity]] through source [[authentication]], [[data integrity]] through hash functions and [[confidentiality]] through [[encryption]] protection for IP [[Packet (information technology)|packet]]s. ESP also supports [[encryption]]-only and [[authentication]]-only configurations, but using encryption without authentication is strongly discouraged because it is insecure.<ref>{{cite conference | title=Problem Areas for the IP Security Protocols | book-title=Proceedings of the Sixth Usenix Unix Security Symposium | first=Steven M. | last=Bellovin | year=1996 | pages=1โ16 | place=San Jose, CA | url=https://www.cs.columbia.edu/~smb/papers/badesp.ps | access-date=2007-07-09|author-link=Steven M. Bellovin|format=[[PostScript]]}}</ref><ref>{{cite conference | title=Cryptography in theory and practice: The case of encryption in IPsec | book-title=Eurocrypt 2006, Lecture Notes in Computer Science Vol. 4004 | last1=Paterson|first1=Kenneth G.|last2=Yau|first2=Arnold K.L.|date=2006-04-24|pages=12โ29 | location=Berlin | url=http://eprint.iacr.org/2005/416 | access-date=2007-08-13|format=PDF}}</ref><ref>{{cite conference | title=Attacking the IPsec Standards in Encryption-only Configurations | book-title=IEEE Symposium on Security and Privacy, IEEE Computer Society |last1=Degabriele|first1=Jean Paul|last2=Paterson|first2=Kenneth G.|date=2007-08-09|format=PDF | pages=335โ349 | location=Oakland, CA | url=http://eprint.iacr.org/2007/125 | access-date=2007-08-13 }}</ref> Unlike [[Authentication Header|Authentication Header (AH)]], ESP in transport mode does not provide integrity and authentication for the entire [[IP packet (disambiguation)|IP packet]].<!--intentional link to disambig--> However, in [[Tunneling protocol|tunnel mode]], where the entire original IP packet is [[Information hiding|encapsulated]] with a new packet header added, ESP protection is afforded to the whole inner IP packet (including the inner header) while the outer header (including any outer IPv4 options or IPv6 extension headers) remains unprotected. ESP operates directly on top of IP, using IP protocol number 50.<ref name="iana" /> The following ESP packet diagram shows how an ESP packet is constructed and interpreted:{{Ref RFC|4303}} {{APHD|start|title=Encapsulating Security Payload format}} {{APHD|0|bits1=32|field1=Security Parameters Index}} {{APHD|4|bits1=32|field1=Sequence Number}} {{APHD|999|hoctets=8|hbits=64|bits1=64|border1=bottom|background1=mistyrose|field1=Payload Data}} {{APHD|999|bits1=8|border1=top|background1=mistyrose|field1={{nbsp}}|bits2=24|background2=linen|border2=bottom|field2={{nbsp}}}} {{APHD|999|bits1=32|border1=top-bottom|background1=linen|field1=(Padding)}} {{APHD|999|bits1=16|border1=top|background1=linen|field1={{nbsp}}|bits2=8|field2=Pad Length|bits3=8|field3=Next Header}} {{APHD|999|bits1=64|field1=Integrity Check Value{{break}}โฎ}} {{APHD|end}} ;{{APHD|def|name=Security Parameters Index|short=SPI|length=32 bits|text=Arbitrary value used (together with the destination IP address) to identify the [[security association]] of the receiving party.}} ;{{APHD|def|name=Sequence Number|length=32 bits|text=A [[monotonic]]ally increasing sequence number (incremented by 1 for every packet sent) to protect against [[replay attack]]s. There is a separate counter kept for every security association.}} ;{{APHD|def|name=Payload Data|length=variable|text=The protected contents of the original IP packet, including any data used to protect the contents (e.g. an Initialisation Vector for the cryptographic algorithm). The type of content that was protected is indicated by the ''Next Header'' field.}} ;{{APHD|def|name=Padding|length=0-255 octets|text=Optional. Padding for encryption, to extend the payload data to a size that fits the encryption's [[Block cipher|cipher]] [[Block size (cryptography)|block size]], and to align the next field.}} ;{{APHD|def|name=Pad Length|length=8 bits|text=Size of the padding (in octets).}} ;{{APHD|def|name=Next Header|length=8 bits|text=Indicates the [[list of IP protocol numbers|protocol type]] of the ''Payload Data'',{{Ref RFC|4303|rsection=2.6}} like the value {{Mono|6}} for [[Transmission Control Protocol|TCP]]. As ESP is an encapsulation protocol, a value of {{Mono|4}} is also possible, indicating [[IP in IP]]. A value of {{Mono|41}} indicates [[IPv6]] encapsulated in [[IPv4]], e.g. [[6to4]]. The value {{Mono|59}} (meaning: ''No Next Header'') is used for dummy packets, which may be inserted in the stream, and which contents should be discarded.}} ;{{APHD|def|name=Integrity Check Value|short=ICV|length=variable|text=Variable length check value. It may contain padding to align the field to an 8-octet boundary for [[IPv6]], or a 4-octet boundary for [[IPv4]].}}
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)