Encapsulation Security Payload
-
Upload
smily-surekha -
Category
Documents
-
view
215 -
download
0
Transcript of Encapsulation Security Payload
-
7/29/2019 Encapsulation Security Payload
1/3
Encapsulation Security Payload (ESP):
ESP provides more confidentiality services, including confidentiality of message and
limited traffic flow confidentiality. As an optional feature, ESP can also provide an
authentication service. ESP packet is designed with 32 bits.
ESP packet have specific format with following fields.
Security Parameters Index: Identifies
a security association like cryptographic
algorithms, network type etc.
Sequence number: It is a increasing
counter value; this provides an anti
reply function.
Payload Data: This is a transport-levelsegment can be encrypted with transport
mode or it is a IP packet encrypted with
tunnel mode.
Padding: This field is used to include
extra bytes. In detail, in the process of
encryption, if we require multiplying the
pain text with some number of bytes, padding is used. The padding field is used to expand the
plain text to the required length. The ESP format requires pad length and next header fields
are right aligned with in 32 bit word. Additional padding may be added partial traffic flowconfidentiality by concealing the actual length of payload.
Pad length: Indicates the number of pad bytes used to expand the plain text.
Next header: Identifies the type of data contained in the payload data field depending on the
first header in the payload.
Authentication Data: A variable length field that contains the integrity checks value computed
by MAC algorithm over (ESP packet-Authentication data field).
The cryptography algorithms that are used in the encryption process by ESP are 3DES, IDEA,RC5 etc
-
7/29/2019 Encapsulation Security Payload
2/3
Transport mode:
Transport mode ESP is used to encrypt and the optionally authenticate the data in payload
field. For this mode, the scope of the ESP is different for IPv4 and IPv6.
In IPv4, the ESP header is inserted into the IP packet before the TCP segment and ESP
trailer (Padding, pad length, Next header fields) is placed after the IP packet. If authentication is
selected, the ESP Authentication data field is added after the ESP trailer. (TCP + Data + ESP
trailer) are encrypted and this is replaced by cipher text. Now authentication covers all the
(cipher text + ESP header)
In the context of IPv6, routers are involved to transmit the data since it is end to end
payload. So ESP header appears next to hop by hop, routing header. (TCP + Data + ESP
trailer + Destination header) is encrypted and this cipher text is covered by authentication.
Note: Transport mode provides confidentiality for any application, thus avoid the need to
implement confidentiality in every individual application. This mode is efficient but the only
drawback is that possible to do Traffic analysis on the transmitted packets.
Tunnel mode:
Tunnel mode ESP is used to encrypt the entire IP packet. It is a counter for traffic
analysis attack because in this the ESP header is prefixed to the packet. The IP header contains
the destination address and source routing directives information, so it is not possible to transmit
the encrypted IP packet prefixed by ESP header. Therefore, it is necessary to encapsulate the
entire block i.e. (ESP header+ Cipher text+ Authentication data (optional)) with a new IP
header.
-
7/29/2019 Encapsulation Security Payload
3/3
Transport mode is suitable for protecting connections between hosts that support ESP
feature; Tunnel mode is useful in a configuration that includes a firewall security gateway that
protects a trusted network from external networks.