Encapsulating security payload (esp) – NETGEAR ProSafe FVS124G User Manual

Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports

Virtual Private Networking

D-3

202-10085-01, March 2005

•

Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and
integrity.

•

Authentication Header (AH): Provides authentication and integrity.

•

Internet Key Exchange (IKE): Provides key management and Security Association (SA)
management.

Encapsulating Security Payload (ESP)

ESP provides authentication, integrity, and confidentiality, which protect against data tampering
and, most importantly, provide message content protection.

IPSec provides an open framework for implementing industry standard algorithms, such as SHA
and MD5. The algorithms IPSec uses produce a unique and unforgeable identifier for each packet,
which is a data equivalent of a fingerprint. This fingerprint allows the device to determine if a
packet has been tampered with. Furthermore, packets that are not authenticated are discarded and
not delivered to the intended receiver.

ESP also provides all encryption services in IPSec. Encryption translates a readable message into
an unreadable format to hide the message content. The opposite process, called decryption,
translates the message content from an unreadable format to a readable message. Encryption/
decryption allows only the sender and the authorized receiver to read the data. In addition, ESP has
an option to perform authentication, called ESP authentication. Using ESP authentication, ESP
provides authentication and integrity for the payload and not for the IP header.

Figure 9-4: Original packet and packet with IPSec Encapsulated Security Payload