Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
196
Views
5
Helpful
5
Replies

IPSec ESP encryption

Go to solution
adel81
Level 1
Level 1

‎01-21-2025 02:15 AM

I have one question,

I am learning IPSec and I have the following question: the ESP Trailer is encrypted separately or together with the payload ?

Regards.

 

Labels:
2 Accepted Solutions

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP

‎01-21-2025 02:46 AM

@adel81 

  I would say together because the ESP itself become part of the payload. 

https://www.ibm.com/docs/en/i/7.4?topic=protocols-encapsulating-security-payload

 

"The ESP trailer and the optional authentication data are appended to the payload. When you use both encryption and authentication, ESP completely protects the original datagram because it is now the payload data for the new ESP packet. ESP, however, does not protect the new IP header. Gateways must use ESP in tunnel mode."

 

 

http://www.tcpipguide.com/free/t_IPSecEncapsulatingSecurityPayloadESP-3.htm#:~:text=Trailer%20Calculation%20and%20Placement,Figure%20124%20and%20Figure%20125.

"The IPSec Encapsulating Security Payload protocol allows the contents of a datagram to be encrypted, to ensure that only the intended recipient is able to see the data. It is implemented using three components: an ESP Header added to the front of a protected datagram, an ESP Trailer that follows the protected data, and an optional ESP Authentication Data field that provides authentication services similar to those provided by the Authentication Header (AH)."

View solution in original post

Go to solution
M02@rt37
VIP
VIP

‎01-21-2025 06:31 AM

Hello @adel81 

The ESP trailer, which includes padding, padding length, and the Next Header field, is appended to the original data packet and is encrypted together with the payload to ensure confidentiality. In contrast, the ESP Authentication Data, added at the very end of the ESP packet, is not encrypted but is used to verify the integrity and authenticity of the packet. The authentication hash is calculated over the ESP Header, encrypted payload, and ESP Trailer, excluding the Authentication Data itself. This separation ensures both confidentiality and integrity while maintaining proper packet structure.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

5 Replies 5

Go to solution
MHM Cisco World
VIP
VIP

‎01-21-2025 02:24 AM

The ESP trailer add after the ipsec encrypt the data frame' so it not include in encryption.

MHM

0 Helpful

Go to solution
adel81
Level 1
Level 1
In response to MHM Cisco World

‎01-21-2025 02:31 AM

But when you read this Cisco article https://www.ciscopress.com/articles/article.asp?p=25477 and see the picture below, ESP Trailer is encrypted !

Go to solution
MHM Cisco World
VIP
VIP
In response to adel81

‎01-21-2025 04:45 AM

Correct' I was confuse between esp auth (which add to end) and esp tail (which is add to end of original data packet).

Yes esp tail not auth is included in encrypt hash.

MHM

Go to solution
Flavio Miranda
VIP
VIP

‎01-21-2025 02:46 AM

@adel81 

  I would say together because the ESP itself become part of the payload. 

https://www.ibm.com/docs/en/i/7.4?topic=protocols-encapsulating-security-payload

 

"The ESP trailer and the optional authentication data are appended to the payload. When you use both encryption and authentication, ESP completely protects the original datagram because it is now the payload data for the new ESP packet. ESP, however, does not protect the new IP header. Gateways must use ESP in tunnel mode."

 

 

http://www.tcpipguide.com/free/t_IPSecEncapsulatingSecurityPayloadESP-3.htm#:~:text=Trailer%20Calculation%20and%20Placement,Figure%20124%20and%20Figure%20125.

"The IPSec Encapsulating Security Payload protocol allows the contents of a datagram to be encrypted, to ensure that only the intended recipient is able to see the data. It is implemented using three components: an ESP Header added to the front of a protected datagram, an ESP Trailer that follows the protected data, and an optional ESP Authentication Data field that provides authentication services similar to those provided by the Authentication Header (AH)."

Go to solution
M02@rt37
VIP
VIP

‎01-21-2025 06:31 AM

Hello @adel81 

The ESP trailer, which includes padding, padding length, and the Next Header field, is appended to the original data packet and is encrypted together with the payload to ensure confidentiality. In contrast, the ESP Authentication Data, added at the very end of the ESP packet, is not encrypted but is used to verify the integrity and authenticity of the packet. The authentication hash is calculated over the ESP Header, encrypted payload, and ESP Trailer, excluding the Authentication Data itself. This separation ensures both confidentiality and integrity while maintaining proper packet structure.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
Customers Also Viewed These Support Documents