subject traffic to certain forms of active attacks that could
   undermine the confidentiality service (see [Bel96]).  Data origin
   authentication and connectionless integrity are joint services
   (hereafter referred to jointly as "authentication) and are offered as
   an option in conjunction with (optional) confidentiality.  The anti-
   replay service may be selected only if data origin authentication is
   selected, and its election is solely at the discretion of the
   receiver.  (Although the default calls for the sender to increment
   the Sequence Number used for anti-replay, the service is effective
   only if the receiver checks the Sequence Number.)  Traffic flow




 
RFC 2406           IP Encapsulating Security Payload       November 1998


   confidentiality requires selection of tunnel mode, and is most
   effective if implemented at a security gateway, where traffic
   aggregation may be able to mask true source-destination patterns.
   Note that although both confidentiality and authentication are
   optional, at least one of them MUST be selected.

   It is assumed that the reader is familiar with the terms and concepts
   described in the Security Architecture document.  In particular, the
   reader should be familiar with the definitions of security services
   offered by ESP and AH, the concept of Security Associations, the ways
   in which ESP can be used in conjunction with the Authentication
   Header (AH), and the different key management options available for
   ESP and AH.  (With regard to the last topic, the current key
   management options required for both AH and ESP are manual keying and
   automated keying via IKE [HC98].)

   The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
   SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
   document, are to be interpreted as described in RFC 2119 [Bra97].

2.  Encapsulating Security Payload Packet Format

   The protocol header (IPv4, IPv6, or Extension) immediately preceding
   the ESP header will contain the value 50 in its Protocol (IPv4) or
   Next Header (IPv6, Extension) field [STD-2].

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ----
|               Security Parameters Index (SPI)                 | ^Auth.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov-
|                      Sequence Number                          | |erage
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ----
|                    Payload Data* (variable)                   | |   ^
~                                                               ~ |   |
|                                                               | |Conf.
+               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov-
|               |     Padding (0-255 bytes)                     | |erage*
+-+-+-+-+-+-+-+-+               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |   |
|                               |  Pad Length   | Next Header   | v   v
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ------
|                 Authentication Data (variable)                |
~                                                               ~
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

        * If included in the Payload field, cryptographic
          synchronization data, e.g., an Initialization Vector (IV, see




 
RFC 2406           IP Encapsulating Security Payload       November 1998


          Section 2.3), usually is not encrypted per se, although it
          often is referred to as being part of the ciphertext.

   The following subsections define the fields in the header format.
   "Optional" means that the field is omitted if the option is not
   selected, i.e., it is present in neither the packet as transmitted
   nor as formatted for computation of an Integrity Check Value (ICV,
   see Section 2.7).  Whether or not an option is selected is defined as
   part of Security Association (SA) establishment.  Thus the format of
   ESP packets for a given SA is fixed, for the duration of the SA.  In
   contrast, "mandatory" fields are always present in the ESP packet
   format, for all SAs.

2.1  Security Parameters Index

   The SPI is an arbitrary 32-bit value that, in combination with the
   destination IP address and security protocol (ESP), uniquely
   identifies the Security Association for this datagram.  The set of
   SPI values in the range 1 through 255 are reserved by the Internet
   Assigned Numbers Authority (IANA) for future use; a reserved SPI
   value will not normally be assigned by IANA unless the use of the
   assigned SPI value is specified in an RFC.  It is ordinarily selected
   by the destination system upon establishment of an SA (see the
   Security Architecture document for more details).  The SPI field is
   mandatory.