Sun Microsystems, Inc.
spacerspacer
spacer   www.sun.com docs.sun.com | | |  
spacer
black dot
   
A   B   C   D   E   F   G   H   I   J   K   L   M   N   O   P   Q   R   S   T   U   V   W   X   Y   Z
    
 
Protocolsipsecesp(7P)

NAME

 ipsecesp, ESP - IPsec Encapsulating Security Payload

SYNOPSIS

  
drv/ipsecesp

DESCRIPTION

 

The ipsecesp module provides confidentiality, integrity, authentication, and partial sequence integrity (replay protection) to IP datagrams. The encapsulating security payload (ESP) encapsulates its data, enabling it to protect data that follows in the datagram. For TCP packets, ESP encapsulates the TCP header and its data only. If the packet is an IP in IP datagram, ESP protects the inner IP datagram. Per-socket policy allows "self-encapsulation" so ESP can encapsulate IP options when necessary. See ipsec(7P).

Unlike the authentication header (AH), ESP allows multiple varieties of datagram protection. (Using a single datagram protection form can expose vulnerabilities.) For example, only ESP can be used to provide confidentiality. But protecting confidentiality alone exposes vulnerabilities in both replay attacks and cut-and-paste attacks. Similarly, if ESP protects only integrity and does not fully protect against eavesdropping, it may provide weaker protection than AH. See ipsecah(7P).

Algorithms and the ESP Device

 

ESP is implemented as a module that is auto-pushed on top of IP. Use the /dev/ipsecesp entry to tune ESP with ndd(1M), as well as to allow future algorithms to be loaded on top of ESP. ESP allows encryption algorithms to be pushed on top of it, in addition to the authentication algorithms that can be used in AH. Authentication algorithms include HMAC-MD5 and HMAC-SHA-1. See authmd5h(7M) and authsha1(7M). Encryption algorithms include DES, Triple-DES, Blowfish and AES. See encrdes(7M), encr3des(7M), encrbfsh(7M) and encraes(7M). Each authentication and encryption algorithm contain key size and key format properties. Because of export laws in the United States, not all encryption algorithms are available outside of the United States.

Security Considerations

 

ESP without authentication exposes vulnerabilities to cut-and-paste cryptographic attacks as well as eavesdropping attacks. Like AH, ESP is vulnerable to eavesdropping when used without confidentiality.

ATTRIBUTES

 

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPEATTRIBUTE VALUE
AvailabilitySUNWcsr (32-bit)
SUNWcarx (64-bit)
Interface StabilityEvolving

SEE ALSO

 

ipsecconf(1M), ndd(1M), attributes(5), authmd5h(5), authsha1(7M), encrdes(7M), encr3des(7M), encrbfsh(7M), ip(7P), ipsec(7P), ipsecah(7P)

Kent, S. and Atkinson, R.RFC 2406, IP Encapsulating Security Payload (ESP), The Internet Society, 1998.

NOTES

 

Due to United States export control laws, encryption strength available on ESP varies for versions of the SunOS sold outside the United States.

See authmd5h(7M) and authsha1(7M). Encryption algorithms include DES, Triple-DES, Blowfish and AES. See encrdes(7M), encr3des(7M), and encrbfsh(7M).
SunOS 5.9Go To TopLast Changed 20 Mar 2001
 
      
      
Copyright 2002 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms.