Cryptography Reference
In-Depth Information
Diagram 8.21 Authentication Header Fields
Payload Length
←
Next Header
←
Reserved
←
8-bit
→
8-bit
→
1
6
-bit
→
Security Parameters Index (SPI)
←
→
Sequence Number
←
3
2
-bit
→
Authentication Data
←
3
2
-bit
Variable
→
Transport and Tunnel Mode AH
We discussed transport and tunnel modes in general terms earlier, and il-
lustrated AH transport mode (IPv6 implemented) in Diagram 8.16. This case
is considered to be an
end-to-end payload
— it is immutable — and remains
untouched by routers between its origin and target sites. For this reason, AH
appears after the original IP header and routing information. Authentication,
in this case, extends to the entire packet, excludingonly mutable fields that are
set to zero for MAC calculations.
In AH tunnel mode, the entire original IP packet is authenticated, again,
except for the mutable fields (see Diagram 8.17). Unlike transport mode, the
AH can be used by either hosts or security gateways. In fact, when AH is used
in a security gateway, tunnel mode must be employed. Thus, the new IP header
may contain addresses for firewalls or other security gateways.
Encapsulating Security Payload (ESP)
ESP Fields
As with AH, we provide a top-down description of the ESP fields followed
by a diagram illustrating the same.
1.
Security Parameters Index (SPI)
: This 32-bit field names the specific
SA to be used.
2.
Sequence Number
: This 32-bit field is similar to the correspondingAH
field, with a monotonically increasing counter that guards against replay
attacks. (See the explanation for AH above.)
3.
Payload Data
: This variable-length field consists of the enciphered data
for the packet beingtransmitted, which may be at the transport level
(thus, in transport mode), or IP packet (in tunnel mode).
4.
Padding
: This field provides space for up to 255 bytes, which might
be necessitated by the encipheringalorithm beingused. The suite of
compliant encryption algorithms are 3DES-CBC (see [214]), which the
Search WWH ::
Custom Search