Cryptography Reference
In-Depth Information
fields. There are two current IPSec environments, IPv4 and IPv6. When
a host uses IPv4 with AH or ESP, the IP header is followed by the payload
data. With IPv6, the IP headers and the IPv6 extensions are followed by
the payload. In transport mode, AH authenticates the IP payload, and
selected parts of the IP header, whereas EPS in transport mode encrypts
the IP payload, and optionally authenticates it, but not the IP header.
When we referred to the packet
in part 1, we meant, and will mean
throughout our discussion, one of IPv4 or IPv6 data packets. These ver-
sions are specified in the document that obsoletes RFC 2401, cited on
page 296; as well as in documents being updated, which make obsolete
RFC 2402, [207] and RFC 2406, [211]; see
http://www.ietf.org/internet-
drafts/draft-ietf-bmwg-ipsec-term-04.txt
, dated August 2004.
P
SA Parameters
1.
Security Parameters Index (SPI)
This bitstringuniquely identifies an SA relative to a security protocol such
as AH or ESP. The SPI is located within the AH and ESP headers so that
the target site can select the type of SA under which to process the packet.
If the SA is employed for unicast traJc only, then a locally assigned bit-
stringis suJcient to specify an SA. If multicast traJc is supported by the
IPSec implementation, then it MUST
8.10
support multicast SAs. How-
ever, in this instance, a sender SHOULD put traJc into different packets
to avoid the improper discardingof low-priority packets, which may occur
due to the in-built reject-replay mechanism.
2.
IP Destination Address
This parameter dictates the target IP address for the SA, and is allowed
to be only a unicast address. The target may be an end user, but it may
also be a firewall or network system router. Note that an IP address (also
known as an
Internet address
) is a unique 32-bit stringallotted to a host
and used for all communication with that host.
3.
Security Protocol Identifier
This parameter stipulates the SA, namely, whether it is an AH or ESP.
In any IP packet,the SA is uniquely identified by the Destination Address in
the IPv4 or IPv6 header and by the SPI in the enclosed extension header, one
of AH or ESP. In Diagrams 8.15-8.19, we will illustrate only the IPv6 version
since it is more extensive than the IPv4 model.
8.10
Note that, as in Footnote 8.3 on page 288, MUST, MUST NOT, REQUIRES, SHALL,
SHALL NOT, SHOULD, SHOULD NOT, MAY, and OPTIONAL are to be interpreted by
the document specifications given in [204].
Search WWH ::
Custom Search