U5.11 Encapsulating Security Payload protocol

Provides for confidentiality and authentication of the payload only
1. Encryption can be offered either just for the payload or for the datagram as a whole
  1. Protocol inserts a new ESP header after the IP header and a new ESP trailer after the data field.
    1. This way the ESP header and trailer encapsulate the data they protect
    2. Header contains the SPI and the sequence number
    3. Tralier contains padding information
      1. Followed by the ESP authentication field containing MAC
Transport mode
1. ESP header is placed between the IP and the TCP header
2. Comms end points and IPSEC endpoints coincide so 1 header is used
3. Encryption covers the the payload, including the ESP tralier, excluding the MAC
4. IP header cannot be encrypted
Tunnel Mode
1. Additional IP header is needed since communicating end points and IPSEC end points do not coincide
  1. This is separated from the original IP header by the ESP header
    1. In tunnel mode the entire original ip datagram including the IP header is encrypted
      1. The new IP header contains the source and destination of the IPSEC gateways
        Encryption covers all encapsulated data but excludes the MAC
        If ESP is used only the payload is authnticatied
See pg 12 of notes for diagrams
1. Weaknesses if only ESP Auth is used
  1. Only the payload is authenticated, not the IP address, leaving it open to packet forgery
2. See module for further diagram explinations

Resource summary

	Created by Craig Parker over 11 years ago