ipsecesp, ESP - IPsec Encapsulating Security Payload




The ipsecesp module provides confidentiality, integrity, authentication,
and partial sequence integrity (replay protection) to IP datagrams. The
encapsulating security payload (ESP) encapsulates its data, enabling it
to protect data that follows in the datagram. For TCP packets, ESP
encapsulates the TCP header and its data only. If the packet is an IP in
IP datagram, ESP protects the inner IP datagram. Per-socket policy
allows "self-encapsulation" so ESP can encapsulate IP options when
necessary. See ipsec(4P).

Unlike the authentication header (AH), ESP allows multiple varieties of
datagram protection. (Using a single datagram protection form can expose
vulnerabilities.) For example, only ESP can be used to provide
confidentiality. But protecting confidentiality alone exposes
vulnerabilities in both replay attacks and cut-and-paste attacks.
Similarly, if ESP protects only integrity and does not fully protect
against eavesdropping, it may provide weaker protection than AH. See

ESP Device

ESP is implemented as a module that is auto-pushed on top of IP. Use the
/dev/ipsecesp entry to tune ESP with ndd(8).


ESPuses encryption and authentication algorithms. Authentication
algorithms include HMAC-MD5 and HMAC-SHA-1. Encryption algorithms include
DES, Triple-DES, Blowfish and AES. Each authentication and encryption
algorithm contain key size and key format properties. You can obtain a
list of authentication and encryption algorithms and their properties by
using the ipsecalgs(8) command. You can also use the functions described
in the getipsecalgbyname(3NSL) man page to retrieve the properties of
algorithms. Because of export laws in the United States, not all
encryption algorithms are available outside of the United States.

Security Considerations

ESP without authentication exposes vulnerabilities to cut-and-paste
cryptographic attacks as well as eavesdropping attacks. Like AH, ESP is
vulnerable to eavesdropping when used without confidentiality.


See attributes(7) for descriptions of the following attributes:

|Interface Stability | Evolving |


getipsecalgbyname(3NSL), ip(4P), ipsec(4P), ipsecah(4P), attributes(7),
ipsecalgs(8), ipsecconf(8), ndd(8)

Kent, S. and Atkinson, R. RFC 2406, IP Encapsulating Security Payload
(ESP), The Internet Society, 1998.

May 18, 2003 IPSECESP(4P)