7/29/2019 Encapsulation Security Payload

1/3

Encapsulation Security Payload (ESP):

ESP provides more confidentiality services, including confidentiality of message and

limited traffic flow confidentiality. As an optional feature, ESP can also provide an

authentication service. ESP packet is designed with 32 bits.

ESP packet have specific format with following fields.

Security Parameters Index: Identifies

a security association like cryptographic

algorithms, network type etc.

Sequence number: It is a increasing

counter value; this provides an anti

reply function.

Payload Data: This is a transport-levelsegment can be encrypted with transport

mode or it is a IP packet encrypted with

tunnel mode.

Padding: This field is used to include

extra bytes. In detail, in the process of

encryption, if we require multiplying the

pain text with some number of bytes, padding is used. The padding field is used to expand the

plain text to the required length. The ESP format requires pad length and next header fields

are right aligned with in 32 bit word. Additional padding may be added partial traffic flowconfidentiality by concealing the actual length of payload.

Pad length: Indicates the number of pad bytes used to expand the plain text.

Next header: Identifies the type of data contained in the payload data field depending on the

first header in the payload.

Authentication Data: A variable length field that contains the integrity checks value computed

by MAC algorithm over (ESP packet-Authentication data field).

The cryptography algorithms that are used in the encryption process by ESP are 3DES, IDEA,RC5 etc

7/29/2019 Encapsulation Security Payload

2/3

Transport mode:

Transport mode ESP is used to encrypt and the optionally authenticate the data in payload

field. For this mode, the scope of the ESP is different for IPv4 and IPv6.

In IPv4, the ESP header is inserted into the IP packet before the TCP segment and ESP

trailer (Padding, pad length, Next header fields) is placed after the IP packet. If authentication is

selected, the ESP Authentication data field is added after the ESP trailer. (TCP + Data + ESP

trailer) are encrypted and this is replaced by cipher text. Now authentication covers all the

(cipher text + ESP header)

In the context of IPv6, routers are involved to transmit the data since it is end to end

payload. So ESP header appears next to hop by hop, routing header. (TCP + Data + ESP

trailer + Destination header) is encrypted and this cipher text is covered by authentication.

Note: Transport mode provides confidentiality for any application, thus avoid the need to

implement confidentiality in every individual application. This mode is efficient but the only

drawback is that possible to do Traffic analysis on the transmitted packets.

Tunnel mode:

Tunnel mode ESP is used to encrypt the entire IP packet. It is a counter for traffic

analysis attack because in this the ESP header is prefixed to the packet. The IP header contains

the destination address and source routing directives information, so it is not possible to transmit

the encrypted IP packet prefixed by ESP header. Therefore, it is necessary to encapsulate the

entire block i.e. (ESP header+ Cipher text+ Authentication data (optional)) with a new IP

header.

7/29/2019 Encapsulation Security Payload

3/3

Transport mode is suitable for protecting connections between hosts that support ESP

feature; Tunnel mode is useful in a configuration that includes a firewall security gateway that

protects a trusted network from external networks.