Encapsulating Security Payload
Encapsulating Security Payload (ESP), IP protocol number 50, encrypts packet
payloads and can optionally authenticate and do integrity checks by using it
with AH. It adds a header and a trailer to the packet. When used with AH,
the packet is encrypted first and then put through the hash mechanism.
IPsec Modes
IPsec can operate in either Transport mode or Tunnel mode. The headers
differ based on the mode used:
■ Transport mode IPsec uses the original IP header. The data payload can
be encrypted, and the packet can be authenticated from the ESP header
back. Transport mode is often used with generic routing encapsulation
(GRE) tunnels, because GRE hides the original IP address.
■ Tunnel mode IPsec replaces the original IP header with a tunnel header.
The ESP header is placed after the new header, before the original one.
The original IP header can be encrypted along with the data payload,
and the packet can be authenticated from the ESP header back. Tunnel
mode adds about 20 bytes to the packet.
Figure 4-1 shows the packet headers in the two IPsec modes.