A.2.1.3 security associations (sa), A.2.2 ipsec modes – PLANET MH-1000 User Manual

Multi-Homing Security Gateway User’s Manual

placement depends on whether ESP is used in transport mode or tunnel mode.

ESP Trailer: Placed after the encrypted data, the ESP Trailer contains padding that is used to align the

encrypted data.

ESP Authentication Data: This contains an Integrity Check Value (ICV) for when ESP's optional

authentication feature is used.

ESP provides authentication, integrity, and confidentiality, which provides data content protection, and

protects against data tampering. A typical ESP packet looks like this:

Pad

Pad

Next

Data

IV

Authentication Data

SPI

Sequence Number

A.2.1.3 Security Associations (SA)

Security Associations are a one-way relationships between sender and receiver that specify IPSec-related

parameters. They provide data protection by using the defined IPSec protocols, and allow organizations to

control according to the security policy in effect, which resources may communicate securely.

SA is identified by 3 parameters:

- Security Parameters Index (SPI), a locally unique value

- Destination IP Address

- Security Protocol: (AH or ESP, but not both)

There are several other parameters associated with an SA that are stored in a Security Association

database.

A.2.2 IPSec Modes

To exchange data between different types of VPNs, IPSec provides two major modes:

- Tunnel Mode

This mode is used for host-to-host security. Protection extends to the payload of IP data, and the IP

- 92 -