What is encapsulation security payload (ESP)?
Encapsulating Security Payload (ESP) is a protocol in the Internet Protocol Security (IPsec) family that encrypts and authenticates data packets sent between computers via a virtual private network (VPN). VPNs can work securely because of the emphasis and layers on which ESP functions.
What does ESP do?
The Encapsulating Security Payload (ESP) protocol provides:
- Data confidentiality
- Data origin authentication
- Data integrity
- Replay protection
ESP format
Security parameter index (SPI)
The SPI is a 32-bit value that, when combined with the packet’s destination IP address and security protocol, uniquely identifies Security Association (SA).
Sequence number
The sequence number is a 32-bit counter that increases monotonically to protect against replay attacks. The sequence number is reset to 0 when a SA is established. On the sender’s and receiver’s ends, it is first set to 0. As packets move from sender to receiver, the counter is incremented. Finally, the counter is checked on the receiver’s side.
ESP payload data
ESP payload data is a transport-level segment or IP packet that is protected by encryption. This is where our actual message resides, and it is encrypted for confidentiality. This is a variable-length field that normally holds the data payload.
Padding
Padding is used to fill the payload data to a specific block size multiple required by a specific encryption scheme or to randomize the length of the payload in order to protect it against traffic.
Pad length
Pad length is an 8-bit field whose value shows the padding field’s length in bytes.
Next header
Next header identifies the type of data contained in the payload data field by identifying the first header in that payload (e.g. an extension header in IPv6 or an upper-layer protocol such as TCP).
ESP authentication data
ESP authentication data is a variable-length field containing the integrity check value (ICV). ICV verifies the sender’s identity and the integrity of the message. ICV is an optional field.
