12.7. Summary

In this chapter, we examined the ESP protocol and its role within IPsec. In addition to encryption, ESP provides authentication, antireplay protection, and, in some cases, limited protection from traffic analysis. We observed that like AH, ESP can operate in either transport or tunnel mode, and we looked at how the original datagram is encapsulated by ESP in the two modes.

We also watched ESP in action by taking tcpdump traces of ESP traffic. By using the NULL encryption algorithm, we were able to see the internal structure of an ESP tunnel-mode packet. On the other hand, when we looked at the traffic in a transport-mode tunnel, we did use encryption and were able to see what an attacker could see: the IP and ESP headers and the authentication data. Everything else was encrypted and effectively invisible. Even the size of the original data could be obscured by adding a random amount of padding.