Table of Contents
Advertisement
Configuring IPsec
Note. The OmniSwitch currently supports the Transport Mode of operation.
Encapsulating Security Payload (ESP)
The ESP protocol provides a means to ensure privacy (encryption), source authentication, and content
integrity (authentication). It helps provide enhanced security of the data packet and protects it against
eavesdropping during transit.
Unlike AH which only authenticates the data, ESP encrypts data and also optionally authenticates it. It
provides these services by encrypting the original payload and encapsulating the packet between a header
and a trailer, as shown in the figure below.
ESP is identified by a value of 50 in the IPv6 header. The ESP header is inserted after the IPv6 header and
before the upper layer protocol header. The Security Parameter Index (SPI) in the ESP header is a 32-bit
value that, combined with the destination address and protocol in the preceding IPv6 header, identifies the
security association (SA) to be used to process the packet. SPI helps distinguish multiple SA's configured
for the same source and destination combination. The payload data field carries the data that is being
OmniSwitch AOS Release 7 Network Configuration Guide
IP Packet in IPsec Transport Mode
16
Security association identifier (SPI)
Sequence Number
Payload data (variable length)
Padding (0-255 bytes)
Authentication Data (variable)
IP Packet protected by ESP
24
Pad Length
March 2011
IPsec Overview
32-bit
Next Header
page 14-5
Advertisement
Table of Contents
