Solved: Re: IP Sec ESP Encryption

Ariyarathna · ‎07-20-2021

I am reading "demystifying the ipsec puzzle" book and found following fact is confusing related to the ESP protocol.

". Encrypt the message, if encryption is mandated by the SA. The
packet data, padding, pad length, and Next Header fields will be
encrypted, along with the tunnel header for a Tunnel Mode SA.
The mandatory encryption algorithms for IPsec ESP are DES-CBC
and the null encryption algorithm. The latter does not provide
encryption protection. Because an ESP header must provide confidentiality, authentication, or both, when the null encryption algorithm is used for encryption, the null authentication algorithm
must not be used for authentication"

How it can be along with the tunnel header ? (As I think in tunnel mode new IP header is not encrypted) .Please help me to understand this concept. Thank you very much for your valuable time.

Thanks,

Manoj

Karsten Iwen · ‎07-20-2021

You are absolutely right that the outer header is not encrypted. I assume that it is just a typo and should read "along with the tunneled header ...". Then it would be correct as the original header is encrypted.

View solution in original post

Karsten Iwen · ‎07-20-2021

You are absolutely right that the outer header is not encrypted. I assume that it is just a typo and should read "along with the tunneled header ...". Then it would be correct as the original header is encrypted.

Ariyarathna · ‎07-21-2021

Thank you very much for the clarification.

Manoj