521609
Description
Mind Map by Craig Parker, updated more than 1 year ago
|
Created by Craig Parker
almost 12 years ago
|
|
U5.11 Encapsulating
Security Payload protocol
- Provides for confidentiality and authentication of the payload only
- Encryption can be offered either just for the payload or for the datagram as a whole
- Protocol inserts a new ESP header after the IP header and a new ESP trailer after the data field.
- This way the ESP header and trailer encapsulate the data they protect
- Header contains the SPI and the sequence number
- Tralier contains padding information
- Followed by the ESP authentication field containing MAC
- Followed by the ESP authentication field containing MAC
- This way the ESP header and trailer encapsulate the data they protect
- Protocol inserts a new ESP header after the IP header and a new ESP trailer after the data field.
- Encryption can be offered either just for the payload or for the datagram as a whole
- Transport mode
- ESP header is placed between the IP and the TCP header
- Comms end points and IPSEC endpoints coincide so 1 header is used
- Encryption covers the the payload, including the ESP tralier, excluding the MAC
- IP header cannot be encrypted
- ESP header is placed between the IP and the TCP header
- Tunnel Mode
- Additional IP header is needed since communicating
end points and IPSEC end points do not coincide
- This is separated from the original
IP header by the ESP header
- In tunnel mode the entire original ip datagram
including the IP header is encrypted
- The new IP header contains the source and destination of the IPSEC gateways
- Encryption covers all encapsulated data but excludes the MAC
- If ESP is used only the payload is authnticatied
- If ESP is used only the payload is authnticatied
- Encryption covers all encapsulated data but excludes the MAC
- The new IP header contains the source and destination of the IPSEC gateways
- In tunnel mode the entire original ip datagram
including the IP header is encrypted
- This is separated from the original
IP header by the ESP header
- Additional IP header is needed since communicating
end points and IPSEC end points do not coincide
- See pg 12 of notes for diagrams
- Weaknesses if only ESP Auth is used
- Only the payload is authenticated, not the IP address,
leaving it open to packet forgery
- Only the payload is authenticated, not the IP address,
leaving it open to packet forgery
- See module for further diagram explinations
- Weaknesses if only ESP Auth is used
Media attachments
Want to create your own Mind Maps for free with GoConqr? Learn more.