In tunnel mode, the entire IP datagram is encapsulated, protecting the entire IP datagram.

An IP Packet with tunnel mode AH

5.4.3.4.1.2Encapsulating Security Payload Protocol (ESP)

The Encapsulating Security Payload (ESP) header is defined in RFC 2406. Besides data confidentiality, ESP also provides authentication and integrity as an option. The encrypted datagram is contained in the Data section of the ESP header. When authentication is also chosen within the ESP protocol, the data is encrypted first and then authenticated. The authenticated data is placed in the authentication data field. If no authentication is specified within the ESP protocol, then this field is not used.

ESP Header

When used in transport mode, the ESP header is inserted after the IP header and before any upper-layer protocols, protecting only the upper layer protocols.

An IP Packet with transport mode ESP

In tunnel mode, the original IP header and any upper-layer protocols are encrypted and then authenticated if specified.

76

Page 88
Image 88
IBM 10 SP1 EAL4 manual An IP Packet with tunnel mode AH