PROXY  WHOIS  RQUOTE  TEXTS  SOFT  FOREX  BBOARD
 Music  Philosophy  Code  Literature  Russian

= ROOT|Technical|RFC|rfc1827.txt =

page 1 of 7 









Network Working Group                                        R. Atkinson
Request for Comments: 1827                     Naval Research Laboratory
Category: Standards Track                                    August 1995


                IP Encapsulating Security Payload (ESP)

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

ABSTRACT

   This document describes the IP Encapsulating Security Payload (ESP).
   ESP is a mechanism for providing integrity and confidentiality to IP
   datagrams.  In some circumstances it can also provide authentication
   to IP datagrams.  The mechanism works with both IPv4 and IPv6.

1. INTRODUCTION

   ESP is a mechanism for providing integrity and confidentiality to IP
   datagrams.  It may also provide authentication, depending on which
   algorithm and algorithm mode are used.  Non-repudiation and
   protection from traffic analysis are not provided by ESP.  The IP
   Authentication Header (AH) might provide non-repudiation if used with
   certain authentication algorithms [Atk95b].  The IP Authentication
   Header may be used in conjunction with ESP to provide authentication.
   Users desiring integrity and authentication without confidentiality
   should use the IP Authentication Header (AH) instead of ESP.  This
   document assumes that the reader is familiar with the related
   document "IP Security Architecture", which defines the overall
   Internet-layer security architecture for IPv4 and IPv6 and provides
   important background for this specification [Atk95a].

1.1 Overview

   The IP Encapsulating Security Payload (ESP) seeks to provide
   confidentiality and integrity by encrypting data to be protected and
   placing the encrypted data in the data portion of the IP
   Encapsulating Security Payload.  Depending on the user's security
   requirements, this mechanism may be used to encrypt either a
   transport-layer segment (e.g., TCP, UDP, ICMP, IGMP) or an entire IP
   datagram.  Encapsulating the protected data is necessary to provide
   confidentiality for the entire original datagram.




 
RFC 1827             Encapsulating Security Payload          August 1995


   Use of this specification will increase the IP protocol processing
   costs in participating systems and will also increase the
   communications latency.  The increased latency is primarily due to
   the encryption and decryption required for each IP datagram
   containing an Encapsulating Security Payload.

   In Tunnel-mode ESP, the original IP datagram is placed in the
   encrypted portion of the Encapsulating Security Payload and that
   entire ESP frame is placed within a datagram having unencrypted IP
   headers.  The information in the unencrypted IP headers is used to
   route the secure datagram from origin to destination. An unencrypted
   IP Routing Header might be included between the IP Header and the
   Encapsulating Security Payload.

   In Transport-mode ESP, the ESP header is inserted into the IP
   datagram immediately prior to the transport-layer protocol header
   (e.g., TCP, UDP, or ICMP). In this mode bandwidth is conserved
   because there are no encrypted IP headers or IP options.

   In the case of IP, an IP Authentication Header may be present as a
   header of an unencrypted IP packet, as a header after the IP header
   and before the ESP header in a Transport-mode ESP packet, and also as
   a header within the encrypted portion of a Tunnel-mode ESP packet.
   When AH is present both in the cleartext IP header and also inside a
   Tunnel-mode ESP header of a single packet, the unencrypted IPv6
   Authentication Header is primarily used to provide protection for the
   contents of the unencrypted IP headers and the encrypted
   Authentication Header is used to provide authentication only for the
   encrypted IP packet.  This is discussed in more detail later in this
   document.

   The Encapsulating Security Payload is structured a bit differently
   than other IP payloads. The first component of the ESP payload
   consist of the unencrypted field(s) of the payload.  The second
   component consists of encrypted data.  The field(s) of the
   unencrypted ESP header inform the intended receiver how to properly
   decrypt and process the encrypted data.  The encrypted data component
   includes protected fields for the security protocol and also the
=1=

= PAGE 1 = NEXT > |2|3|4|5|6|7

UP TO ROOT | UP TO DIR

Google
 


E-mail Facebook Google Digg del.icio.us BlinkList Fark Furl Ma.gnolia Netscape NewsVine Reddit Slashdot Spurl StumbleUpon Technorati YahooMyWeb LiveJournal Blogmarks TwitThis Live News2.ru BobrDobr.ru Memori.ru MoeMesto.ru

0.0655 wallclock secs ( 0.01 usr + 0.00 sys = 0.01 CPU)