ipsecesp, ESP - IPsec Encapsulating Security Payload
The ipsecesp module provides confidentiality, integrity,
authentication, and partial sequence integrity (replay pro-
tection) to IP datagrams. The encapsulating security payload
(ESP) encapsulates its data, enabling it to protect data
that follows in the datagram. For TCP packets, ESP encapsu-
lates the TCP header and its data only. If the packet is an
IP in IP datagram, ESP protects the inner IP datagram. Per-
socket policy allows "self-encapsulation" so ESP can encap-
sulate IP options when necessary. See ipsec(7P).
Unlike the authentication header (AH), ESP allows multiple
varieties of datagram protection. (Using a single datagram
protection form can expose vulnerabilities.) For example,
only ESP can be used to provide confidentiality. But pro-
tecting confidentiality alone exposes vulnerabilities in
both replay attacks and cut-and-paste attacks. Similarly,
if ESP protects only integrity and does not fully protect
against eavesdropping, it may provide weaker protection than
AH. See ipsecah(7P).
Algorithms and the ESP Device
ESP is implemented as a module that is auto-pushed on top of
IP. Use the /dev/ipsecesp entry to tune ESP with ndd(1M), as
well as to allow future algorithms to be loaded on top of
ESP. ESP allows encryption algorithms to be pushed on top
of it, in addition to the authentication algorithms that can
be used in AH. Authentication algorithms include HMAC-MD5
and HMAC-SHA-1. See authmd5h(7M) and authsha1(7M). Encryp-
tion algorithms include DES, Triple-DES, Blowfish and AES.
See encrdes(7M), encr3des(7M), encrbfsh(7M) and encraes(7M).
Each authentication and encryption algorithm contain key
size and key format properties. Because of export laws in
the United States, not all encryption algorithms are avail-
able outside of the United States.
ESP without authentication exposes vulnerabilities to cut-
and-paste cryptographic attacks as well as eavesdropping
attacks. Like AH, ESP is vulnerable to eavesdropping when
used without confidentiality.
See attributes(5) for descriptions of the following attri-
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
| Availability | SUNWcsr (32-bit) |
| | SUNWcarx (64-bit) |
| Interface Stability | Evolving |
ipsecconf(1M), ndd(1M), attributes(5), authmd5h(5),
authsha1(7M), encrdes(7M), encr3des(7M), encrbfsh(7M),
ip(7P), ipsec(7P), ipsecah(7P)
Kent, S. and Atkinson, R.RFC 2406, IP Encapsulating Security
Payload (ESP), The Internet Society, 1998.
Due to United States export control laws, encryption
strength available on ESP varies for versions of the SunOS
sold outside the United States.
See authmd5h(7M) and authsha1(7M). Encryption algorithms
include DES, Triple-DES, Blowfish and AES. See encrdes(7M),
encr3des(7M), and encrbfsh(7M).
Man(1) output converted with