Encapsulating Security Payload -- dmeredit@cs.hmc.edu

Course: CS125
Name: Daniel Meredith
Due Date: 02/09/00
Submit Date: 02/09/00
Abstract Title: IP Encapsulating Security Payload
Journal Ref: IETF RFC2406

The IETF specification for IPsec is broken down into many different documents which explain different sections of the new protocol. Two of the main protocols which will secure IPsec are the IP Authentication Header (AH) and the IP Encapsulating Security Payload (ESP) header. I summarized the overall layout of IPsec for IPv4 and IPv6 in my last abstract. Now I will begin looking deeper into the specification.

ESP is used to "provide confidentiality, data origin authentication, connection-less integrity, an anti-replay service ... and limited traffic flow confidentiality." In short, it is another method of protecting the data payload of a packet from wrongful interception and tampering. At the time of establishing a Security Association (see last abstract) a set of security services in determined and then used on every packet transmitted during that Security Association. Among other services that may be implemented during a Security Association, confidentiality or authentication must be implemented.

This brings us to my first observation about the ESP header. In the packet diagram included in the RFC the packet is laid out byte by byte. The ratio of space for security to space for data is ridiculous. The more security we add to every packet on the net, the less space is available for the data we are trying to protect in the first place. ESP does just what it's name says. It wraps a packet, TCP or other, with another header and then encrypts the original packet.

ESP is a changing algorithm. By that I mean that the exact keys and services used vary for every different Security Association. The ESP header includes a 32 bit value called a "Security Parameters Index" or (SPI). This value varies from 1 to 255 and specifies the identity of which Security Association should be used for the datagram that contains it. The SPI of 0 is reserved for local protocol use only. Also in the ESP header is a sequence number. This is a 32 bit field that not only sets the packet order for re-assembly, but sets the time limit for a Security Association. Once the 2^32nd packet has been sent in a Security Association, the SA must end and a new association begun. This means that an entirely new set of encryption keys must be generated and services negotiated. Thus in a very large transfer, multiple SA's will be used, making it even harder to tamper with transmissions.

The main security provided by ESP is that it completely encrypts the original data packet. This is all well and good, but in order for most encryption algorithms to work at an efficient level the data must be in sections that are multiples of 4 bytes. Thus the ESP header has made allowances for this in the form of padding at the end of the packet. The padding can be as large as 255 bytes. This is another area where the packet size continues to bloat. The padding for encryption is optional, but all implementations of ESP must support the generation and consumption of padding in order to be considered compliant.

The ESP header includes other multi-bit fields for extra headers, authentication data and other various packet information. After all of the headers comes the payload. The payload is the original packet "encapsulated" by the ESP protocol headers and then encrypted using one of the approved algorithms. The construction of the packet is quite simple:

The packet is encapsulated.
Padding is then added to allow for proper encryption.
The payload is then encrypted.

I should note here that the whole original datagram is only encrypted if tunnel mode was selected in the services negotiation of the Security Association. Otherwise only the upper layer protocol information is encrypted. This is referred to as transport mode.

The order in which the steps are performed is quite important. Currently with the authentication being performed before the encryption the detection of replay (spoofed) or bogus packets is facilitated. In light of the recent denial of service attacks on sites such as Yahoo!, eBay and Amazon, this feature would reduce the impact of such attacks to almost nothing. This is due to the fact that a packet with an impossible address or origin will never make it passed a gateway using ESP encryption on the out bound traffic or into a subnet using a similar gateway.

Packets that do not conform to the ESP format are discarded at any point en route where they are checked, not just at the origin gateway and destination gateway. Packets can be dropped for many reasons including:

Duplication
Improper Security Association Identification field
Erroneous encryption pad length
General packet corruption

Overall, ESP adds many feature to help protect transmission of data via the public internet. Protocols such as IPsec help not only protect the data they encrypt, but the rights of those sending the data. With government asking for more power to use electronic surveillance on the internet, protocols that make it harder to intercept data protect the privacy of the individual. One of the great powers of the internet is not only the sharing of information, but the ability to have anonymous free speech, and without anonymity there is no guarantee of protection from oppression of ideas. Let us never lose sight of that fact.