The Protocols Behind IPSec

IPSec provides confidentiality, integrity, authenticity, and replay protection through two new protocols. These protocols are called Authentication Header (AH) and Encapsulated Security Payload (ESP).

AH provides authentication, integrity, and replay protection (but not confidentiality). Its main difference with ESP is that AH also secures parts of the IP header of the packet (such as the source/destination addresses).

ESP provides authentication, integrity, replay protection, and confidentiality of the data (it secures everything in the packet that follows the header). Replay protection requires authentication and integrity. Confidentiality (encryption) is used with or without authentication/integrity. Similarly, authentication/integrity is possible with or without confidentiality.

The AH comes after the basic IP header and contains cryptographic hashes of the data and identification information. The hashes also cover the invariant parts of the IP header itself. There are several different RFCs giving a choice of actual algorithms to use in the AH, however they all must follow the guidelines specified in RFC2402.

The ESP header allows for the rewriting of the payload in encrypted form. The ESP header does not consider the fields of the IP header before it and makes no guarantees about anything except the payload. The various types of ESP applicable must follow RFC2406. An ESP header also provides authentication for the payload, but not the outer header.

An orthogonal (mostly) division of IPSec functionality is applied depending on whether the endpoint doing the IPSec encapsulation is the original source of the data or a gateway:

IPSec secured links are defined in terms of Security Associations (SAs). Each SA is defined for a single unidirectional flow of data, and usually from one single point to another, covering traffic distinguishable by some unique selector. All traffic flowing over a single SA is treated the same. Some traffic may be subject to several SAs, each of which applies some transform. Groups of SAs are called an SA Bundle. Incoming packets can be assigned to a particular SA by the three defining fields, (Destination IP address, Security Parameter Index, security protocol). SPI is considered a cookie handed out by the receiver of the SA when the parameters of the connection are negotiated. The security protocol must be either AH or ESP. Since the IP address of the receiver is part of the triple, this is a guaranteed unique value. They are found from the outer IP header and the first security header (which contains the SPI and the security protocol).

An example of a tunnel mode AH packet:

IPhdr AH IPhdr2 TCPhdr data

An example of a transport mode AH packet:

IPhdr AH TCPhdr data

Because an ESP header cannot authenticate the outer IP header, it is useful to combine an AH and an ESP header to get this:

IPhdr AH ESP TCPhdr data

This is called Transport Adjacency. The tunneling version looks like:

IPhdr AH ESP IPhdr2 TCPhdr data

However, it is not specifically mentioned in the RFC. As with transport adjacency, this authenticates the entire packet except a few headers in the IP header and also encrypts the payload.


Return to Top

Copyright © 1996 - 2002 WatchGuard Technologies, Inc. All rights reserved.
Legal Notice/Terms of Use