SunOS man pages : ipsecesp (7)
Protocols ipsecesp(7P)
NAME
ipsecesp, ESP - IPsec Encapsulating Security Payload
SYNOPSIS
drv/ipsecesp
DESCRIPTION
The ipsecesp module provides confidentiality, integrity,
authentication, and partial sequence integrity (replay pro-
tection) to IP datagrams. The encapsulating security pay-
load ("ESP") encapsulates its data, so it only protects the
data that follows its beginning in the datagram. If the
packet is a TCP packet, ESP will encapsulate the TCP header
and its data only. If the packet is an IP in IP datagram,
ESP will protect the inner IP datagram. Per-socket policy
allows "self-encapsulation" so ESP can encapsulate IP
options if it needs to. See ipsec(7P).
Unlike the authentication header ("AH") , ESP allows multi-
ple kinds of datagram protection. To use a single form of
datagram protection can expose vulnerabilities. For example,
only ESP can be used to provide confidentiality. But pro-
tecting confidentiality alone exposes vulnerabilities in
both replay attacks and cut-and-paste attacks. Similarly,
if ESP protects only integrity and does not fully protect
against eavesdropping, it may provide weaker protection than
AH. See ipsecah(7P).
Algorithms and the ESP Device
ESP is implemented as a module that is auto-pushed on top of
IP. Use the /dev/ipsecesp entry to tune ESP with ndd(1M), as
well as to allow future algorithms to be loaded on top of
ESP. ESP allows encryption algorithms to be pushed on top
of it, in addition to the authentication algorithms that can
be used in AH. Authentication
algorithms include HMAC-MD5 and HMAC-SHA-1. See
authmd5h(7M) and authsha1(7P). Encryption algorithms
include DES and Triple-DES. See encrdes(7M) and
encr3des(7M). Each authentication and encryption algorithm
has its key size and key format properties. Because of
export laws in the United States, not all encryption algo-
rithms will be available outside of the United States.
Security Considerations
ESP without authentication exposes vulnerabilities to cut-
and-paste cryptographic attacks, as well as eavesdropping
attacks. When ESP is used without confidentiality, it is as
vulnerable to replay as AH is.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
SunOS 5.8 Last change: 16 Feb1999 1
Protocols ipsecesp(7P)
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcsr (32-bit) |
|_____________________________|_____________________________|
| | SUNWcsrx (64-bit) |
|_____________________________|_____________________________|
| Interface Stability | Evolving |
|_____________________________|_____________________________|
SEE ALSO
ipsecconf(1M),ndd(1M),attributes(5),authmd5h(7M),authsha1(7P),encrdes(7M),
encr3des(7M),ip(7P),ipsec(7P),ipsecah(7P)
Kent, S. and Atkinson, R.RFC 2406, IP Encapsulating Security
Payload (ESP), The Internet Society, 1998.
NOTES
Due to United States export control laws, the encryption
strength available on ESP will be weaker for versions of the
SunOS sold outside the United States..
SunOS 5.8 Last change: 16 Feb1999 2
|
 |
|
|
