Unformatted text preview: hentication (optional)
Anti-replay Service (optional)
Confidentiality (optional) Authentication
Encryption Original IP Header ESP Header Payload Data ESP Trailer ESP ICV Security Parameters Index (SPI)
Payload Data (variable)
Padding (0 – 255 bytes)
Pad Length Next Header
Integrity Check Value –ICV (variable)
8 bits 8 bits 32 bits
VPN IPsec IKE v2 TLS M. Mogollon – 01/08 - 20 • RFC 4303, “ESP Protocol,” provides the same security services that AH provides (data origin
authentication, connectionless integrity, and anti-replay service); it also provides traffic flow
confidentiality (encryption). The primary difference between the authentication provided by ESP
and the authentication provided by AH is the extent of the coverage. Specifically, ESP does not
protect any IP header fields unless those fields are encapsulated by ESP (tunnel mode). The set
of services provided by ESP depends on options selected at the time that the security association
is established and on the placement of the implementation.
• The ESP handles encryption of IP at the packet level using symmetric key encryption. ESP is
designed to use any number of encryption algorithms.. The mandatory-to-implement encryption
algorithms are Triple DES-CBC, AES-CBC (128-Bit), and AES-CTR. Other algorithms,
however, such as RC5, IDEA, Three-key triple IDEA, Cast, and Blowfish, could be used
because the Domain of Interpretation (DOI) has assigned identifiers to them.
• The ESP header is inserted between the IP header and the rest of the packet.
• The SPI and Sequence number field provide the same functions as they do in the AH.
• The TCP portion and Data (Payload), and ESP trailer are all encrypted.
• ESP provides authentication in the same manner as the AH does. 20 VPN, IPSec and TLS AH and ESP Modes of Operation
Tunnel Transport Server Client VPN Device VPN Device AH
Header Outer IP
Mode New IP
Header ESP Header Original
IP Header Outer IP
View Full Document
- Spring '10
- VPNs, M. Mogollon, IKE v2