IPSECESP(4P) Protocols IPSECESP(4P)
NAME
ipsecesp, ESP - IPsec Encapsulating Security Payload
SYNOPSIS
drv/ipsecespDESCRIPTION
The
ipsecesp module provides confidentiality, integrity,
authentication, and partial sequence integrity (replay protection) to
IP datagrams. The encapsulating security payload (
ESP) encapsulates
its data, enabling it to protect data that follows in the datagram.
For
TCP packets,
ESP encapsulates the
TCP header and its data only.
If the packet is an
IP in
IP datagram,
ESP protects the inner
IP datagram. Per-socket policy allows "self-encapsulation" so
ESP can
encapsulate
IP options when necessary. See
ipsec(4P).
Unlike the authentication header (
AH),
ESP allows multiple varieties
of datagram protection. (Using a single datagram protection form can
expose vulnerabilities.) For example, only
ESP can be used to provide
confidentiality. But protecting confidentiality alone exposes
vulnerabilities in both replay attacks and cut-and-paste attacks.
Similarly, if
ESP protects only integrity and does not fully protect
against eavesdropping, it may provide weaker protection than
AH. See
ipsecah(4P).
ESP Device
ESP is implemented as a module that is auto-pushed on top of
IP. Use
the
/dev/ipsecesp entry to tune
ESP with
ndd(8).
Algorithms
ESPuses encryption and authentication algorithms. Authentication
algorithms include HMAC-MD5 and HMAC-SHA-1. Encryption algorithms
include DES, Triple-DES, Blowfish and AES. Each authentication and
encryption algorithm contain key size and key format properties. You
can obtain a list of authentication and encryption algorithms and
their properties by using the
ipsecalgs(8) command. You can also use
the functions described in the
getipsecalgbyname(3NSL) man page to
retrieve the properties of algorithms. Because of export laws in the
United States, not all encryption algorithms are available outside of
the United States.
Security Considerations
ESP without authentication exposes vulnerabilities to cut-and-paste
cryptographic attacks as well as eavesdropping attacks. Like AH,
ESP is vulnerable to eavesdropping when used without confidentiality.
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|Interface Stability | Evolving |
+--------------------+-----------------+
SEE ALSO
getipsecalgbyname(3NSL),
ip(4P),
ipsec(4P),
ipsecah(4P),
attributes(7),
ipsecalgs(8),
ipsecconf(8),
ndd(8) Kent, S. and Atkinson, R.
RFC 2406, IP Encapsulating Security Payload (ESP), The Internet Society, 1998.
May 18, 2003 IPSECESP(4P)
