IPSec Architecture

The IP Encapsulating Security Payload takes the data carried by IP, such as a TCP packet, encrypts it using a symmetric key, and encapsulates it with header information so that the receiving IPSec entity can decrypt it.

HP's IPSec/9000 supports the Data Encryption Standard Cipher Block Chaining Mode (DES-CBC) and Triple-DES CBC (3DES-CBC) (J4256AA only) encryption algorithms.

The IPSec headers (AH and ESP) can be used in transport mode or tunnel mode. In transport mode, the original IP header is followed by the AH or ESP header. If ESP is used in transport mode, only the upper-layer (e.g., TCP, UDP, IGMP) is encrypted. The IP header is not encrypted.

In tunnel mode, the original IP datagram, including the original IP header), is enclosed, or encapsulated within a second IP datagram. If ESP is used in tunnel mode, the original IP datagram, including the original header, is encrypted. If ESP is used in tunnel mode on gateways, the outer, unencrypted IP header will contain the IP addresses of the gateways, and the inner, encrypted IP header will contain the ultimate IP source and destination addresses. This prevents eavesdroppers from analyzing the network traffic between the ultimate source and destination addresses.

Figure 4-6 IP Encapsulating Security Payload (ESP)

When ESP is used with the optional ESP authentication field, an authentication value is calculated for the encrypted data using a symmetric key and appended to the end of the packet. The recipient computes its own authentication value using the same shared secret key and the encrypted data. It then compares the result with the transmitted authentication value. If it matches, the recipient is assured that the sender knows the same secret key, confirming the identity of the sender. The recipient is also assured that the data was not altered during transit.

Figure 4-7 IP ESP with Authentication