Encapsulating Security Payload (ESP)
A fundamental element of IPsec that provides integrity, authentication, and confidentiality for IP datagrams. ESP works between hosts, between a host and a security gateway, or between security gateways. The support for security gateways (in Tunnel-mode) permits trustworthy networks behind a security gateway to omit encryption while using security gateways to obtain confidentiality for transmissions over untrustworthy network segments. In Tunnel-mode ESP encapsulates the entire IP datagram within the ESP. (See tunneling.) When there is no intervening security gateway, then the hosts may use the Transport-mode in which only the upper layer protocol data (e.g., TCP or UDP) is encrypted and there is no encrypted IP header. In Transport-mode ESP encapsulates an upper-layer protocol (e.g. UDP or TCP) inside ESP and then adds a cleartext IP header. This cleartext IP header is used to carry the protected data through the intervening networks. Transport-mode can reduce both the bandwidth consumed and the protocol processing costs for users that do not need to keep the entire IP datagram confidential or who encrypt the data in the host application prior to transmission. ESP works with both unicast and multicast traffic. (See integrity, authentication, confidentiality, datagram, encapsulation, host, cleartext, encryption, TCP, and multicast in the hard copy dictionary.)
Maximizing Business Potential
