IP Network - Security - IPSec - ESP

 

 

 

ESP stands for Encapsulating Security Payload. Like AH, ESP is also a kind of IPSec algorithm. It provides all the security feature provided by AH and in addition it provides Data Confidentiality by performing data encription. In this case, even if you can capture the transmitted packets using sniffer or wireshark, you cannot figure out what is the real contents of the packet because the real contents is Encrypted/Ciphered.

 

There two different ways of implementing the ESP as illustrated below. One is Transport Mode and the other is Tunnel Mode. In Transport Mode, only one IP header from the original packet is used for ESP packet and only transport layer header and Payload (Data) get encrypted. In Tunnel Mode, the completely new IP header used for ESP packet and the original IP header is treated as part of encrypted data. In case of Tunnel Model, you may use different versions of IP header for original data and ESP packet. For example, you can use IPv6 for the original data and use IPv4 for ESP packet.

 

 

Since we use two different IP headers in Tunnel Mode, we often use different name for the original IP and ESP Packet IP as shown below.

 

 

Followings are the overal packet structure of ESP packets .

 

< Based on RFC 4303 Figure 1. Top-Level Format of an ESP Packet >

 

< Based on RFC 4303 Figure 2. Substructure of Payload Data >

 

Followings shows the ESP packet structure in more details comparing Transport Mode and Tunnel Mode.

 

 

 

< Transport Mode Example >

 

Following is an example of Transport Mode ESP, showing the association between Wireshark log and ESP packet. As you see here, some parameters showing up in wireshark does not completely aligned with ESP packet structure. For example, some field (e.g, Authentication Data) is located at the end of the packet, but shown at early part of the decoding. (I know... it is very confusing and messy diagram, but I think it would be worth tracing one by one with your finger or pencil at least once).

 

 

< Tunnel Mode Example >

 

Following is an example of Tunnel Mode ESP, showing the association between Wireshark log and ESP packet. As you see here, some parameters showing up in wireshark does not completely aligned with ESP packet structure. For example, some field (e.g, Authentication Data) is located at the end of the packet, but shown at early part of the decoding. (I know... it is very confusing and messy diagram, but I think it would be worth tracing one by one with your finger or pencil at least once).