Presentation is loading. Please wait.

Presentation is loading. Please wait.

Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.

Published byRalf Douglas Modified over 9 years ago

Similar presentations

Presentation on theme: "Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection."— Presentation transcript:

1 Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection – As much header authentication as possible

2 ESP Packet Format Next Header Pad Len Security Parameters Index (SPI) Sequence Number Field Authentication Data (Variable) Payload Data (Variable) Encrypted Layer 4 data Padding ESP Header Encrypted Payload ESP Trailer Auth Data Authenticated Encrypted

3 ESP Parameters ● SPI – 32-bit value that together with the destination IP address and AH uniquely identifies the Security Association for this datagram ● Sequence Number – function and generation is the same as in the AH. ● Payload Data contains the data described by the Hext Header field, ● Authentication Data – contains the ICV over the ESP packet minus the Authentication Data

4 ESP Header Location ● IPv6 considerations only ● ESP is viewed as an end-to-end payload ● ESP protects only those fields after the ESP header. ● Occurs before the encrypted payload ● Is part of the ICV

5 ESP Header Location Transport Mode IPv6 Header ESP Header Payload Transport Mode ESP Trailer ESP Auth Data Hop-by-Hop Routing Frag ext. Headers Authenticated Encrypted

6 ESP Header Location Tunnel Mode IPv6 Header ESP Header Payload Tunnel Mode ESP Trailer ESP Auth Data Older Ipv6 Header Hop-by-Hop Routing Frag ext. Headers Authenticated Encrypted

7 Authentication Data ● Authentication Data field is a variable length field that contains the Integrity Check Value (ICV) for this packet ● Multiple of 32-bits ● The ICV algorithm is specified in the SA ● Usually an HMAC (keyed hash) ● ICV is calculated over the Immutable and Predictable values in the IP header, AH header, padding, upper level protocols and payload, etc.

8 Authenticated Data ● Immutable ● Version, Payload Length, Next Header, Source Address, Destination Address without Routing Extension Header ● Mutable but predictable ● Destination Address with Routing Extension Header ● Mutable ( zeroed prior to ICV cal) ● Class, Flow Label, Hop Limit

9 Outbound Packet Processing ● Match packet's selectors against the outbound policies in the SPD ● SA Lookup ● Encapsulates the Payload field ● Adds necessary padding ● Encrypts the Payload, Padding, Pad Length and the Next Header ● Sequence Number Generration ● ICV Calculation ● Fragmentation of the IPSec datagram if necessary

10 Inbound Packet Processing ● Datagram Reassembly ● SA Lookup ● Based on IP address, Security Protocol, The SPI ● ICV Verification ● Calc'ed over Immutable fields ● Mutable but predictable fields ● Options and Payload ● Sequence Number Verification ● Packet decryption

Download ppt "Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection."

Similar presentations

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.2: IPsec.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.2: IPsec.
The Future of TCP/IP Always evolving: –New computer and communication technologies More powerful PCs, portables, PDAs ATM, packet-radio, fiber optic, satellite,

The Future of TCP/IP Always evolving: –New computer and communication technologies More powerful PCs, portables, PDAs ATM, packet-radio, fiber optic, satellite,
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.

IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
Network Layer Security: IPSec

Network Layer Security: IPSec
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
IPSec Isaac Ghansah.

IPSec Isaac Ghansah.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.

IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
THE USE OF IP ESP TO PROVIDE A MIX OF SECURITY SERVICES IN IP DATAGRAM SREEJITH SREEDHARAN CS843 PROJECT PRESENTATION 04/28/03.

THE USE OF IP ESP TO PROVIDE A MIX OF SECURITY SERVICES IN IP DATAGRAM SREEJITH SREEDHARAN CS843 PROJECT PRESENTATION 04/28/03.
1 IPsec Youngjip Kim 2004. 05. 24. 2 Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.

1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.

Similar presentations

Ads by Google