12.1. Introduction

The Encapsulating Security Payload (ESP) protocol provides the same authentication, data integrity, and antireplay protection that AH provides but adds the IPsec confidentiality function. In tunnel mode, ESP also provides limited protection from traffic analysis. The ESP specification is RFC 2406 [Kent and Atkinson 1998b].

Except for the data authenticated and the placement of the authentication data in the packet, the ESP authentication function is identical to that in AH. Given this, we might wonder why ESP has its own authentication function or even why, given that the data is encrypted, we need authentication at all. It happens that unauthenticated ESP is vulnerable to certain remarkably simple cut-and-paste attackssee [Bellovin 1996] for details. Because of these attacks, ESP should always be authenticated, and therefore it makes sense to include the authentication function in ESP itself rather than require another set of SAs and another protocol header. As we shall see, ESP, unlike AH, does not authenticate the IP headerthe outer IP header in tunnel modeso it is sometimes useful to use AH in conjunction with ESP where the security model demands that the source address of an IP datagram be authenticated.

In [Ferguson and Schneier 1999], the Ferguson and Schneier argue that there is no reason why the IP header needs to be authenticated at all. The receiver knows that the packet was sent by someone who knows the authentication key, so authenticating the IP header, which is merely used to route the packet, does not appear to add any security. In any event, an attacker who knows the authentication key can just as easily forge the IP header and authenticate the forgery. Another point concerning using AH and ESP in tunnel mode is that RFC 2401 [Kent and Atkinson 1998c] does not require that implementations support nested AH and ESP in tunnel mode.

Both authentication and encryption are optional in ESP, but at least one must be used. The particular encryption and authentication algorithms used are specified in the SA. Either of the two functions may be disabled by specifying the NULL algorithm.