Data Protection and Security

VIII

Standards and Protocols

VIII.V

IPsec

AH and ESP

Given a shared session key either configured manually or established through IKE, AH provides integrity protection only, ESP provides encryption and/or integrity protection. Although there are minor differences, ESP with only integrity protection is similar to AH. This is why for keeping things simpler in this section we will only explain ESP.

It is highly likely that a receiver receives IPsec packets from many sources therefore a procedure should be established to decide upon which key and algorithm is to be used for which packet. This is done through establishing security associations. The IPsec header includes a field named as SPI (Security Parameter Index) which identifies the security association (SA) allowing the sender to find the necessary information in his SA database. SA is considered unidirectional and SPI value is selected by the receiver.

Other than SA database, there is also a security policy database in which specifications about what kind of protection is applied to which kind of packets are established. Packets can be distinguished based on any field of the IP packet. The following figure shows the fields in the ESP envelope.

Figure 3. The fields in the ESP envelope