ipsecesp, ESP - IPsec Encapsulating Security Payload




     The ipsecesp  module  provides  confidentiality,  integrity,
     authentication,  and partial sequence integrity (replay pro-
     tection) to IP datagrams. The encapsulating security payload
     (ESP)  encapsulates  its  data,  enabling it to protect data
     that follows in the datagram.  For TCP packets, ESP encapsu-
     lates the TCP header and its data only.  If the packet is an
     IP in IP datagram, ESP protects the inner IP datagram.  Per-
     socket  policy allows "self-encapsulation" so ESP can encap-
     sulate IP options when necessary.  See ipsec(7P).

     Unlike the authentication header (AH), ESP  allows  multiple
     varieties  of  datagram protection. (Using a single datagram
     protection form can expose  vulnerabilities.)  For  example,
     only  ESP  can  be used to provide confidentiality. But pro-
     tecting confidentiality  alone  exposes  vulnerabilities  in
     both  replay  attacks and cut-and-paste attacks.  Similarly,
     if ESP protects only integrity and does  not  fully  protect
     against eavesdropping, it may provide weaker protection than
     AH. See ipsecah(7P).

  Algorithms and the ESP Device
     ESP is implemented as a module that is auto-pushed on top of
     IP. Use the /dev/ipsecesp entry to tune ESP with ndd(1M), as
     well as to allow future algorithms to be loaded  on  top  of
     ESP.   ESP allows  encryption algorithms to be pushed on top
     of it, in addition to the authentication algorithms that can
     be  used  in  AH. Authentication algorithms include HMAC-MD5
     and HMAC-SHA-1. See authmd5h(7M) and  authsha1(7M).  Encryp-
     tion  algorithms  include DES, Triple-DES, Blowfish and AES.
     See encrdes(7M), encr3des(7M), encrbfsh(7M) and encraes(7M).
     Each  authentication  and  encryption  algorithm contain key
     size and key format properties.  Because of export  laws  in
     the  United States, not all encryption algorithms are avail-
     able outside of the United States.

  Security Considerations
     ESP without authentication exposes vulnerabilities  to  cut-
     and-paste  cryptographic  attacks  as  well as eavesdropping
     attacks. Like AH, ESP is vulnerable  to  eavesdropping  when
     used without confidentiality.


     See attributes(5) for descriptions of the  following  attri-

    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    | Availability                | SUNWcsr (32-bit)            |
    |                             | SUNWcarx (64-bit)           |
    | Interface Stability         | Evolving                    |


     ipsecconf(1M),    ndd(1M),    attributes(5),    authmd5h(5),
     authsha1(7M),   encrdes(7M),   encr3des(7M),   encrbfsh(7M),
     ip(7P), ipsec(7P), ipsecah(7P)

     Kent, S. and Atkinson, R.RFC 2406, IP Encapsulating Security
     Payload (ESP), The Internet Society, 1998.


     Due  to  United  States  export  control  laws,   encryption
     strength  available  on ESP varies for versions of the SunOS
     sold outside the United States.

     See authmd5h(7M) and  authsha1(7M).   Encryption  algorithms
     include  DES, Triple-DES, Blowfish and AES. See encrdes(7M),
     encr3des(7M), and encrbfsh(7M).

Man(1) output converted with man2html