1ipsecesp(7P)                       Protocols                      ipsecesp(7P)
2
3
4

NAME

6       ipsecesp, ESP - IPsec Encapsulating Security Payload
7

SYNOPSIS

9       drv/ipsecesp
10
11

DESCRIPTION

13       The  ipsecesp  module  provides confidentiality, integrity, authentica‐
14       tion, and partial sequence integrity (replay protection)  to  IP  data‐
15       grams.  The encapsulating security payload (ESP) encapsulates its data,
16       enabling it to protect data that follows in the datagram. For TCP pack‐
17       ets,  ESP encapsulates the TCP header and its data only.  If the packet
18       is an IP in IP datagram, ESP protects the inner IP datagram. Per-socket
19       policy  allows  "self-encapsulation"  so ESP can encapsulate IP options
20       when necessary. See ipsec(7P).
21
22
23       Unlike the authentication header (AH), ESP allows multiple varieties of
24       datagram  protection.  (Using  a  single  datagram  protection form can
25       expose vulnerabilities.) For example, only ESP can be used  to  provide
26       confidentiality.  But protecting confidentiality alone exposes vulnera‐
27       bilities in both replay attacks and cut-and-paste  attacks.  Similarly,
28       if  ESP  protects  only  integrity  and  does not fully protect against
29       eavesdropping,  it  may  provide  weaker  protection   than   AH.   See
30       ipsecah(7P).
31
32   ESP Device
33       ESP  is  implemented  as a module that is auto-pushed on top of IP. Use
34       the /dev/ipsecesp entry to tune ESP with ndd(1M).
35
36   Algorithms
37       ESPuses encryption and authentication algorithms. Authentication  algo‐
38       rithms  include  HMAC-MD5 and HMAC-SHA-1. Encryption algorithms include
39       DES, Triple-DES, Blowfish and AES. Each authentication  and  encryption
40       algorithm  contain key size and key format properties. You can obtain a
41       list of authentication and encryption algorithms and  their  properties
42       by  using  the  ipsecalgs(1M)  command.  You can also use the functions
43       described in the getipsecalgbyname(3NSL) man page to retrieve the prop‐
44       erties  of algorithms. Because of export laws in the United States, not
45       all encryption algorithms are available outside of the United States.
46
47   Security Considerations
48       ESP without authentication  exposes  vulnerabilities  to  cut-and-paste
49       cryptographic attacks as well as eavesdropping attacks. Like AH, ESP is
50       vulnerable to eavesdropping when used without confidentiality.
51

ATTRIBUTES

53       See attributes(5) for descriptions of the following attributes:
54
55
56
57
58       ┌─────────────────────────────┬─────────────────────────────┐
59       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
60       ├─────────────────────────────┼─────────────────────────────┤
61       │Availability                 │SUNWcsr (32-bit)             │
62       │Interface Stability          │Evolving                     │
63       └─────────────────────────────┴─────────────────────────────┘
64

SEE ALSO

66       ipsecalgs(1M), ipsecconf(1M),  ndd(1M),  attributes(5),  getipsecalgby‐
67       name(3NSL), ip(7P), ipsec(7P), ipsecah(7P)
68
69
70       Kent,  S.  and  Atkinson, R.RFC 2406, IP Encapsulating Security Payload
71       (ESP), The Internet Society, 1998.
72
73
74
75SunOS 5.11                        18 May 2003                     ipsecesp(7P)
Impressum