You are on page 1of 3

Encapsulation Security Payload (ESP):

ESP provides more confidentiality services, including confidentiality of message and limited traffic flow confidentiality. As an optional feature, ESP can also provide an authentication service. ESP packet is designed with 32 bits. ESP packet have specific format with following fields. Security Parameters Index: Identifies a security association like cryptographic algorithms, network type etc. Sequence number: It is a increasing counter value; this provides an anti reply function. Payload Data: This is a transport-level segment can be encrypted with transport mode or it is a IP packet encrypted with tunnel mode. Padding: This field is used to include extra bytes. In detail, in the process of encryption, if we require multiplying the pain text with some number of bytes, padding is used. The padding field is used to expand the plain text to the required length. The ESP format requires pad length and next header fields are right aligned with in 32 bit word. Additional padding may be added partial traffic flow confidentiality by concealing the actual length of payload. Pad length: Indicates the number of pad bytes used to expand the plain text. Next header: Identifies the type of data contained in the payload data field depending on the first header in the payload. Authentication Data: A variable length field that contains the integrity checks value computed by MAC algorithm over (ESP packet-Authentication data field). The cryptography algorithms that are used in the encryption process by ESP are 3DES, IDEA, RC5 etc

Transport mode: Transport mode ESP is used to encrypt and the optionally authenticate the data in payload field. For this mode, the scope of the ESP is different for IPv4 and IPv6.

In IPv4, the ESP header is inserted into the IP packet before the TCP segment and ESP trailer (Padding, pad length, Next header fields) is placed after the IP packet. If authentication is selected, the ESP Authentication data field is added after the ESP trailer. (TCP + Data + ESP trailer) are encrypted and this is replaced by cipher text. Now authentication covers all the (cipher text + ESP header) In the context of IPv6, routers are involved to transmit the data since it is end to end payload. So ESP header appears next to hop by hop, routing header. (TCP + Data + ESP trailer + Destination header) is encrypted and this cipher text is covered by authentication. Note: Transport mode provides confidentiality for any application, thus avoid the need to implement confidentiality in every individual application. This mode is efficient but the only drawback is that possible to do Traffic analysis on the transmitted packets. Tunnel mode: Tunnel mode ESP is used to encrypt the entire IP packet. It is a counter for traffic analysis attack because in this the ESP header is prefixed to the packet. The IP header contains the destination address and source routing directives information, so it is not possible to transmit the encrypted IP packet prefixed by ESP header. Therefore, it is necessary to encapsulate the entire block i.e. (ESP header+ Cipher text+ Authentication data (optional)) with a new IP header.

Transport mode is suitable for protecting connections between hosts that support ESP feature; Tunnel mode is useful in a configuration that includes a firewall security gateway that protects a trusted network from external networks.

You might also like