Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
ipsecesp(7P)			   Protocols			  ipsecesp(7P)

       ipsecesp, ESP - IPsec Encapsulating Security Payload


       The  ipsecesp  module  provides confidentiality,	integrity, authentica-
       tion, and partial sequence integrity (replay protection)	 to  IP	 data-
       grams.  The encapsulating security payload (ESP)	encapsulates its data,
       enabling	it to protect data that	follows	 in  the  datagram.   For  TCP
       packets,	 ESP  encapsulates  the	 TCP header and	its data only.	If the
       packet is an IP in IP datagram, ESP protects  the  inner	 IP  datagram.
       Per-socket policy allows	"self-encapsulation" so	ESP can	encapsulate IP
       options when necessary.	See ipsec(7P).

       Unlike the authentication header	(AH), ESP allows multiple varieties of
       datagram	 protection.  (Using a single datagram protection form can ex-
       pose vulnerabilities.) For example, only	ESP can	 be  used  to  provide
       confidentiality.	 But protecting	confidentiality	alone exposes vulnera-
       bilities	in both	replay attacks and cut-and-paste attacks.   Similarly,
       if  ESP	protects  only	integrity  and	does not fully protect against
       eavesdropping,  it  may	provide	 weaker	 protection   than   AH.   See

   Algorithms and the ESP Device
       ESP  is	implemented  as	a module that is auto-pushed on	top of IP. Use
       the /dev/ipsecesp entry to tune ESP with	ndd(1M), as well as  to	 allow
       future  algorithms  to be loaded	on top of ESP.	ESP allows  encryption
       algorithms to be	pushed on top of it, in	addition to the	authentication
       algorithms  that	 can  be used in AH. Authentication algorithms include
       HMAC-MD5	and HMAC-SHA-1.	See authmd5h(7M) and authsha1(7M).  Encryption
       algorithms  include DES,	Triple-DES, Blowfish and AES. See encrdes(7M),
       encr3des(7M), encrbfsh(7M) and encraes(7M). Each	authentication and en-
       cryption	algorithm contain key size and key format properties.  Because
       of export laws in the United States, not	all encryption algorithms  are
       available outside of the	United States.

   Security Considerations
       ESP  without  authentication  exposes  vulnerabilities to cut-and-paste
       cryptographic attacks as	well as	eavesdropping attacks. Like AH,	ESP is
       vulnerable to eavesdropping when	used without confidentiality.

       See attributes(5) for descriptions of the following attributes:

       |      ATTRIBUTE	TYPE	     |	    ATTRIBUTE VALUE	   |
       |Availability		     |SUNWcsr (32-bit)		   |
       |			     |SUNWcarx (64-bit)		   |
       |Interface Stability	     |Evolving			   |

       ipsecconf(1M),  ndd(1M),	 attributes(5),	authmd5h(5), authsha1(7M), en-
       crdes(7M), encr3des(7M),	encrbfsh(7M), ip(7P), ipsec(7P), ipsecah(7P)

       Kent, S.	and Atkinson, R.RFC 2406, IP  Encapsulating  Security  Payload
       (ESP), The Internet Society, 1998.

       Due to United States export control laws, encryption strength available
       on ESP varies for versions of the SunOS sold outside the	United States.

       See authmd5h(7M)	and authsha1(7M).  Encryption algorithms include  DES,
       Triple-DES,  Blowfish  and  AES.	See encrdes(7M), encr3des(7M), and en-

SunOS 5.9			  20 Mar 2001			  ipsecesp(7P)


Want to link to this manual page? Use this URL:

home | help