Skip to main content

3.1. ESP Header Location

3.1. ESP Header Location

ESP may be employed in two ways: transport mode or tunnel mode.

3.1.1. Transport Mode Processing

In transport mode, ESP is inserted after the IP header and before a next layer protocol, e.g., TCP, UDP, ICMP, etc. In the context of IPv4, this translates to placing ESP after the IP header (and any options that it contains), but before the next layer protocol. (If AH is also applied to a packet, it is applied to the ESP header, Payload, ESP trailer, and ICV, if present.) (Note that the term "transport" mode should not be misconstrued as restricting its use to TCP and UDP.) The following diagram illustrates ESP transport mode positioning for a typical IPv4 packet, on a "before and after" basis. (This and subsequent diagrams in this section show the ICV field, the presence of which is a function of the security services and the algorithm/mode selected.)

               BEFORE APPLYING ESP
          ----------------------------
    IPv4  |orig IP hdr  |     |      |
          |(any options)| TCP | Data |
          ----------------------------

               AFTER APPLYING ESP
          -------------------------------------------------
    IPv4  |orig IP hdr  | ESP |     |      |   ESP   | ESP|
          |(any options)| Hdr | TCP | Data | Trailer | ICV|
          -------------------------------------------------
                              |<---- encryption ---->|
                        |<-------- integrity ------->|

In the IPv6 context, ESP is viewed as an end-to-end payload, and thus should appear after hop-by-hop, routing, and fragmentation extension headers. Destination options extension header(s) could appear before, after, or both before and after the ESP header depending on the semantics desired. However, because ESP protects only fields after the ESP header, it generally will be desirable to place the destination options header(s) after the ESP header. The following diagram illustrates ESP transport mode positioning for a typical IPv6 packet.

                   BEFORE APPLYING ESP
          ---------------------------------------
    IPv6  |             | ext hdrs |     |      |
          | orig IP hdr |if present| TCP | Data |
          ---------------------------------------

                   AFTER APPLYING ESP
          ---------------------------------------------------------
    IPv6  | orig |hop-by-hop,dest*,|   |dest|   |    | ESP   | ESP|
          |IP hdr|routing,fragment.|ESP|opt*|TCP|Data|Trailer| ICV|
          ---------------------------------------------------------
                                       |<--- encryption ---->|
                                   |<------ integrity ------>|

              * = if present, could be before ESP, after ESP, or both

Note that in transport mode, for "bump-in-the-stack" or "bump-in-the-wire" implementations, as defined in the Security Architecture document, inbound and outbound IP fragments may require an IPsec implementation to perform extra IP reassembly/fragmentation in order to both conform to this specification and provide transparent IPsec support. Special care is required to perform such operations within these implementations when multiple interfaces are in use.

3.1.2. Tunnel Mode Processing

In tunnel mode, the "inner" IP header carries the ultimate (IP) source and destination addresses, while an "outer" IP header contains the addresses of the IPsec "peers", e.g., addresses of security gateways. Mixed inner and outer IP versions are allowed, i.e., IPv6 over IPv4 and IPv4 over IPv6. In tunnel mode, ESP protects the entire inner IP packet, including the entire inner IP header. The position of ESP in tunnel mode, relative to the outer IP header, is the same as for ESP in transport mode. The following diagram illustrates ESP tunnel mode positioning for typical IPv4 and IPv6 packets.

              BEFORE APPLYING ESP
         ----------------------------
   IPv4  |orig IP hdr  |     |      |
         |(any options)| TCP | Data |
         ----------------------------

              AFTER APPLYING ESP

         -----------------------------------------------------------
   IPv4  | new IP hdr* |     | orig IP hdr*  |   |    | ESP   | ESP|
         |(any options)| ESP | (any options) |TCP|Data|Trailer| ICV|
         -----------------------------------------------------------
                             |<--------- encryption --------->|
                       |<------------- integrity ------------>|


                   BEFORE APPLYING ESP
         ---------------------------------------
   IPv6  |             | ext hdrs |     |      |
         | orig IP hdr |if present| TCP | Data |
         ---------------------------------------

                  AFTER APPLYING ESP

         ------------------------------------------------------------
   IPv6  | new* |new ext |   | orig*|orig ext |   |    | ESP   | ESP|
         |IP hdr| hdrs*  |ESP|IP hdr| hdrs *  |TCP|Data|Trailer| ICV|
         ------------------------------------------------------------
                             |<--------- encryption ---------->|
                         |<------------ integrity ------------>|

         * = if present, construction of outer IP hdr/extensions and
             modification of inner IP hdr/extensions is discussed in
             the Security Architecture document.
Last updated on