Intended as a mechanism for anti-replay protection, the sequence number for subsequent transmissions increases in single steps from 1, and is never allowed to cycle. The receiver checks this field to verify that a packet for a Security Association bearing this number has not been received already.
The packet is rejected if one has been received. This is a variable-length data field containing the information described by the Next header field. This field is mandatory, and its length must be an integral number of bytes. Any algorithm requiring explicit, per-packet synchronization data to be used in encrypting the payload must indicate the payload data length, any structure for such data, and the location of this information as part of an RFC specification on how to use the algorithm with ESP.
As its name suggests, the ESP trailer comes after the data payload, and consists of three fields: padding, padding length, and the next header. To ensure that the ciphertext resulting from data packet encryption terminates on a 4 byte boundary and regardless of any other requirements laid down by the encryption algorithm or block cipher , some padding in the 0 to bytes range is used for bit alignment. The 4 byte boundary condition is necessary to ensure the correct positioning of the Authentication data field, if present.
This is an 8-bit figure which specifies the length of the Padding field in bytes. See Section 3. The Payload Data field is mandatory and is an integral number of bytes in length.
If the algorithm used to encrypt the payload requires cryptographic synchronization data, e. See Figure 2. Any encryption algorithm that requires such explicit, per-packet synchronization data MUST indicate the length, any structure for such data, and the location of this data as part of an RFC specifying how the algorithm is used with ESP.
Typically, the IV immediately precedes the ciphertext. If included in the Payload field, cryptographic synchronization data, e. For IPv4, this alignment is a multiple of 4 bytes. For IPv6, the alignment is a multiple of 8 bytes. With regard to ensuring the alignment of the real ciphertext in the presence of an IV, note the following: o For some IV-based modes of operation, the receiver treats the IV as the start of the ciphertext, feeding it into the algorithm directly.
In these modes, alignment of the start of the real ciphertext is not an issue at the receiver. In these cases, the algorithm specification MUST address how alignment of the real ciphertext is to be achieved. Padding for Encryption Two primary factors require or motivate use of the Padding field. Specifically, the Pad Length and Next Header fields must be right aligned within a 4-byte word, as illustrated in the ESP packet format figures above, to ensure that the ICV field if present is aligned on a 4-byte boundary.
Padding beyond that required for the algorithm or alignment reasons cited above could be used to conceal the actual length of the payload, in support of TFC.
However, the Padding field described is too limited to be effective for TFC and thus should not be used for that purpose. Instead, the separate mechanism described below see Section 2. The sender MAY add 0 to bytes of padding. Inclusion of the Padding field in an ESP packet is optional, subject to the requirements noted above, but all implementations MUST support generation and consumption of padding.
If a combined algorithm mode requires transmission of the SPI and Sequence Number to effect integrity, e. If a combined mode algorithm is used, any replicated data and ICV-equivalent data are included in the Payload Data covered by the padding computation.
If Padding bytes are needed but the encryption algorithm does not specify the padding contents, then the following default processing MUST be used. The Padding bytes are initialized with a series of unsigned, 1-byte integer values. The first padding byte appended to the plaintext is numbered 1, with subsequent padding bytes making up a monotonically increasing sequence: 1, 2, 3, This scheme was selected because of its relative simplicity, ease of implementation in hardware, and because it offers limited protection against certain forms of "cut and paste" attacks in the absence of other integrity measures, if the receiver checks the padding values upon decryption.
If an encryption or combined mode algorithm imposes constraints on the values of the bytes used for padding, they MUST be specified by the RFC defining how the algorithm is employed with ESP. Pad Length The Pad Length field indicates the number of pad bytes immediately preceding it in the Padding field.
The range of valid values is 0 to , where a value of zero indicates that no Padding bytes are present. As noted above, this does not include any TFC padding bytes. The Pad Length field is mandatory. Next Header The Next Header is a mandatory, 8-bit field that identifies the type of data contained in the Payload Data field, e. To facilitate the rapid generation and discarding of the padding traffic in support of traffic flow confidentiality see Section 2.
A transmitter MUST be capable of generating dummy packets marked with this value in the next protocol field, and a receiver MUST be prepared to discard such packets, without indicating an error. Dummy packets are discarded without prejudice. The controls should allow the user to specify if this feature is to be used and also provide parametric controls; for example, the controls might allow an administrator to generate random-length or fixed-length dummy packets.
One can also "shape" the actual traffic to match some distribution to which dummy traffic is added as dictated by the distribution parameters. As with the packet length padding facility for Traffic Flow Security TFS , the most secure approach would be to generate dummy packets at whatever rate is needed to maintain a constant rate on an SA.
If packets are all the same size, then the SA presents the appearance of a constant bit rate data stream, analogous to what a link crypto would offer at layer 1 or 2. However, this is unlikely to be practical in many contexts, e. This generally will not be adequate to hide traffic characteristics relative to traffic flow confidentiality requirements. An optional field, within the payload data, is provided specifically to address the TFC requirement. However, this padding hereafter referred to as TFC padding can be added only if the Payload Data field contains a specification of the length of the IP datagram.
This is always true in tunnel mode, and may be true in transport mode depending on whether the next layer protocol e. This length information will enable the receiver to discard the TFC padding, because the true length of the Payload Data will be known. No requirements for the value of this padding are established by this standard. In principle, existing IPsec implementations could have made use of this capability previously, in a transparent fashion.
However, because receivers may not have been prepared to deal with this padding, the SA management protocol MUST negotiate this service prior to a transmitter employing it, to ensure backward compatibility. Combined with the convention described in Section 2.
The controls should allow the user to specify if this feature is to be used and also provide parametric controls for the feature. The ICV field is optional. It is present only if the integrity service is selected and is provided by either a separate integrity algorithm or a combined mode algorithm that uses an ICV.
Encapsulating Security Protocol Processing 3. In the context of IPv4, this translates to placing ESP after the IP header and any options that it contains , but before the next layer protocol. The following diagram illustrates ESP transport mode positioning for a typical IPv4 packet, on a "before and after" basis. Destination options extension header s could appear before, after, or both before and after the ESP header depending on the semantics desired.
Special care is required to perform such operations within these implementations when multiple interfaces are in use. Mixed inner and outer IP versions are allowed, i. Algorithms The mandatory-to-implement algorithms for use with ESP are described in a separate RFC, to facilitate updating the algorithm requirements independently from the protocol per se. Because IP packets may arrive out of order, and not all packets may arrive packet loss , each packet must carry any data required to allow the receiver to establish cryptographic synchronization for decryption.
This data may be carried explicitly in the payload field, e. Note that if plaintext header information is used to derive an IV, that information may become security critical and thus the protection boundary associated with the encryption process may grow. For example, if one were to use the ESP Sequence Number to derive an IV, the Sequence Number generation logic hardware or software would have to be evaluated as part of the encryption algorithm implementation.
Because ESP makes provision for padding of the plaintext, encryption algorithms employed with ESP may exhibit either block or stream mode characteristics. Note that because encryption confidentiality MAY be an optional service e. To allow an ESP implementation to compute the encryption padding required by a block mode encryption algorithm, and to determine the MTU impact of the algorithm, the RFC for each encryption algorithm used with ESP must specify the padding modulus for the algorithm.
As was the case for encryption algorithms, any integrity algorithm employed with ESP must make provisions to permit processing of packets that arrive out of order and to accommodate packet loss. The same admonition noted above applies to use of any plaintext data to facilitate receiver synchronization of integrity algorithms. To allow an ESP implementation to compute any implicit integrity algorithm padding required, the RFC for each algorithm used with ESP must specify the padding modulus for the algorithm.
Combined Mode Algorithms If a combined mode algorithm is employed, both confidentiality and integrity services are provided. As was the case for encryption algorithms, a combined mode algorithm must make provisions for per- packet cryptographic synchronization, to permit decryption of packets that arrive out of order and to accommodate packet loss. The means by which a combined mode algorithm provides integrity for the payload, and for the SPI and Extended Sequence Number fields, may vary for different algorithm choices.
In order to provide a uniform, algorithm-independent approach to invocation of combined mode algorithms, no payload substructure is defined. None of these details should be observable externally. To allow an ESP implementation to determine the MTU impact of a combined mode algorithm, the RFC for each algorithm used with ESP must specify a simple formula that yields encrypted payload size, as a function of the plaintext payload and sequence number sizes.
The process of determining what, if any, IPsec processing is applied to outbound traffic is described in the Security Architecture document. Packet Encryption and Integrity Check Value ICV Calculation In this section, we speak in terms of encryption always being applied because of the formatting implications. There are several algorithmic options. Separate Confidentiality and Integrity Algorithms If separate confidentiality and integrity algorithms are employed, the Sender proceeds as follows: 1.
Encapsulate into the ESP Payload field : - for transport mode -- just the original next layer protocol information. Encrypt the result using the key, encryption algorithm, and algorithm mode specified for the SA and using any required cryptographic synchronization data. This order of processing facilitates rapid detection and rejection of replayed or bogus packets by the receiver, prior to decrypting the packet, hence potentially reducing the impact of denial of service DoS attacks. It also allows for the possibility of parallel processing of packets at the receiver, i.
Note that because the ICV is not protected by encryption, a keyed integrity algorithm must be employed to compute the ICV. Note that the last 4 fields will be in ciphertext form, because encryption is performed first. If the ESN option is enabled for the SA, the high-order 32 bits of the sequence number are appended after the Next Header field for purposes of this computation, but are not transmitted.
This padding is added after the Next Header field, or after the high-order 32 bits of the sequence number, if ESN is selected. The block size and hence the length of the padding is specified by the integrity algorithm specification. Related Questions. What is the difference between transport mode and tunnel mode? What are the types of secret key algorithm used in IPsec? Why does ESP include a padding field? What are the basic approaches to bundling SAs? Week 8 8. Create extended ACL: In this step to create an access-list and define the traffic we The IPsec architecture document states that when two transport mode SAs are bundled to allow both AH and ESP protocols on the same end-to-end flow, only one ordering of Create an Account and Get the Solution.
If an encryption algorithm requires the plaintext to be a multiple of some number of bytes e. Equivalently, the ciphertext must be an integer multiple of 32 bits. The Padding field is used to assure this alignment. Additional padding may be added to provide partial traffic flow confidentiality by concealing the actual length of the payload.
What are the basic approaches to bundling SAs? Ans: Transport adjacency: Refers to applying more than one security protocol to the same IP packet, without invoking tunneling. This approach to combining AH and ESP allows for only one level of combination; further nesting yields no added benefit since the processing is performed at one IPSec instance: the ultimate destination.
Iterated tunneling: Refers to the application of multiple layers of security protocols affected through IP tunneling. This approach allows for multiple levels of nesting, since each tunnel can originate or terminate at a different IPSec site along the path. Spam Leads May 28, at PM.
0コメント