rfc2406.txt

著名的RFC文档,其中有一些文档是已经翻译成中文的的.

              is aligned on a 4-byte boundary (second bullet above), the
              padding computation applies to the Payload Data inclusive
              of the IV, the Pad Length, and Next Header fields.

   If Padding bytes are needed but the encryption algorithm does not
   specify the padding contents, then the following default processing
   MUST be used.  The Padding bytes are initialized with a series of
   (unsigned, 1-byte) integer values.  The first padding byte appended
   to the plaintext is numbered 1, with subsequent padding bytes making
   up a monotonically increasing sequence: 1, 2, 3, ...  When this
   padding scheme is employed, the receiver SHOULD inspect the Padding
   field.  (This scheme was selected because of its relative simplicity,
   ease of implementation in hardware, and because it offers limited
   protection against certain forms of "cut and paste" attacks in the
   absence of other integrity measures, if the receiver checks the
   padding values upon decryption.)

   Any encryption algorithm that requires Padding other than the default
   described above, MUST define the Padding contents (e.g., zeros or
   random data) and any required receiver processing of these Padding
   bytes in an RFC specifying how the algorithm is used with ESP.  In
   such circumstances, the content of the Padding field will be
   determined by the encryption algorithm and mode selected and defined
   in the corresponding algorithm RFC.  The relevant algorithm RFC MAY
   specify that a receiver MUST inspect the Padding field or that a



Kent & Atkinson             Standards Track                     [Page 6]

RFC 2406           IP Encapsulating Security Payload       November 1998


   receiver MUST inform senders of how the receiver will handle the
   Padding field.

2.5  Pad Length

   The Pad Length field indicates the number of pad bytes immediately
   preceding it.  The range of valid values is 0-255, where a value of
   zero indicates that no Padding bytes are present.  The Pad Length
   field is mandatory.

2.6  Next Header

   The Next Header is an 8-bit field that identifies the type of data
   contained in the Payload Data field, e.g., an extension header in
   IPv6 or an upper layer protocol identifier.  The value of this field
   is chosen from the set of IP Protocol Numbers defined in the most
   recent "Assigned Numbers" [STD-2] RFC from the Internet Assigned
   Numbers Authority (IANA).  The Next Header field is mandatory.

2.7  Authentication Data

   The Authentication Data is a variable-length field containing an
   Integrity Check Value (ICV) computed over the ESP packet minus the
   Authentication Data.  The length of the field is specified by the
   authentication function selected.  The Authentication Data field is
   optional, and is included only if the authentication service has been
   selected for the SA in question.  The authentication algorithm
   specification MUST specify the length of the ICV and the comparison
   rules and processing steps for validation.

3.  Encapsulating Security Protocol Processing

3.1  ESP Header Location

   Like AH, ESP may be employed in two ways: transport mode or tunnel
   mode.  The former mode is applicable only to host implementations and
   provides protection for upper layer protocols, but not the IP header.
   (In this mode, note that for "bump-in-the-stack" or "bump-in-the-
   wire" implementations, as defined in the Security Architecture
   document, inbound and outbound IP fragments may require an IPsec
   implementation to perform extra IP reassembly/fragmentation in order
   to both conform to this specification and provide transparent IPsec
   support.  Special care is required to perform such operations within
   these implementations when multiple interfaces are in use.)

   In transport mode, ESP is inserted after the IP header and before an
   upper layer protocol, e.g., TCP, UDP, ICMP, etc. or before any other
   IPsec headers that have already been inserted.  In the context of



Kent & Atkinson             Standards Track                     [Page 7]

RFC 2406           IP Encapsulating Security Payload       November 1998


   IPv4, this translates to placing ESP after the IP header (and any
   options that it contains), but before the upper layer protocol.
   (Note that the term "transport" mode should not be misconstrued as
   restricting its use to TCP and UDP. For example, an ICMP message MAY
   be sent using either "transport" mode or "tunnel" mode.)  The
   following diagram illustrates ESP transport mode positioning for a
   typical IPv4 packet, on a "before and after" basis. (The "ESP
   trailer" encompasses any Padding, plus the Pad Length, and Next
   Header fields.)

                 BEFORE APPLYING ESP
            ----------------------------
      IPv4  |orig IP hdr  |     |      |
            |(any options)| TCP | Data |
            ----------------------------

                 AFTER APPLYING ESP
            -------------------------------------------------
      IPv4  |orig IP hdr  | ESP |     |      |   ESP   | ESP|
            |(any options)| Hdr | TCP | Data | Trailer |Auth|
            -------------------------------------------------
                                |<----- encrypted ---->|
                          |<------ authenticated ----->|


   In the IPv6 context, ESP is viewed as an end-to-end payload, and thus
   should appear after hop-by-hop, routing, and fragmentation extension
   headers.  The destination options extension header(s) could appear
   either before or after the ESP header depending on the semantics
   desired.  However, since ESP protects only fields after the ESP
   header, it generally may be desirable to place the destination
   options header(s) after the ESP header.  The following diagram
   illustrates ESP transport mode positioning for a typical IPv6 packet.

                     BEFORE APPLYING ESP
            ---------------------------------------
      IPv6  |             | ext hdrs |     |      |
            | orig IP hdr |if present| TCP | Data |
            ---------------------------------------












Kent & Atkinson             Standards Track                     [Page 8]

RFC 2406           IP Encapsulating Security Payload       November 1998


                     AFTER APPLYING ESP
            ---------------------------------------------------------
      IPv6  | orig |hop-by-hop,dest*,|   |dest|   |    | ESP   | ESP|
            |IP hdr|routing,fragment.|ESP|opt*|TCP|Data|Trailer|Auth|
            ---------------------------------------------------------
                                         |<---- encrypted ---->|
                                     |<---- authenticated ---->|

                * = if present, could be before ESP, after ESP, or both

   ESP and AH headers can be combined in a variety of modes.  The IPsec
   Architecture document describes the combinations of security
   associations that must be supported.

   Tunnel mode ESP may be employed in either hosts or security gateways.
   When ESP is implemented in a security gateway (to protect subscriber
   transit traffic), tunnel mode must be used.  In tunnel mode, the
   "inner" IP header carries the ultimate source and destination
   addresses, while an "outer" IP header may contain distinct IP
   addresses, e.g., addresses of security gateways.  In tunnel mode, ESP
   protects the entire inner IP packet, including the entire inner IP
   header. The position of ESP in tunnel mode, relative to the outer IP
   header, is the same as for ESP in transport mode.  The following
   diagram illustrates ESP tunnel mode positioning for typical IPv4 and
   IPv6 packets.

            -----------------------------------------------------------
      IPv4  | new IP hdr* |     | orig IP hdr*  |   |    | ESP   | ESP|
            |(any options)| ESP | (any options) |TCP|Data|Trailer|Auth|
            -----------------------------------------------------------
                                |<--------- encrypted ---------->|
                          |<----------- authenticated ---------->|

            ------------------------------------------------------------
      IPv6  | new* |new ext |   | orig*|orig ext |   |    | ESP   | ESP|
            |IP hdr| hdrs*  |ESP|IP hdr| hdrs *  |TCP|Data|Trailer|Auth|
            ------------------------------------------------------------
                                |<--------- encrypted ----------->|
                            |<---------- authenticated ---------->|

               * = if present, construction of outer IP hdr/extensions
                   and modification of inner IP hdr/extensions is
                   discussed below.








Kent & Atkinson             Standards Track                     [Page 9]

RFC 2406           IP Encapsulating Security Payload       November 1998


3.2  Algorithms

   The mandatory-to-implement algorithms are described in Section 5,
   "Conformance Requirements".  Other algorithms MAY be supported.  Note
   that although both confidentiality and authentication are optional,
   at least one of these services MUST be selected hence both algorithms
   MUST NOT be simultaneously NULL.

3.2.1  Encryption Algorithms

   The encryption algorithm employed is specified by the SA.  ESP is
   designed for use with symmetric encryption algorithms.  Because IP
   packets may arrive out of order, each packet must carry any data
   required to allow the receiver to establish cryptographic
   synchronization for decryption.  This data may be carried explicitly
   in the payload field, e.g., as an IV (as described above), or the
   data may be derived from the packet header.  Since ESP makes
   provision for padding of the plaintext, encryption algorithms
   employed with ESP may exhibit either block or stream mode
   characteristics.  Note that since encryption (confidentiality) is
   optional, this algorithm may be "NULL".

3.2.2  Authentication Algorithms

   The authentication algorithm employed for the ICV computation is
   specified by the SA.  For point-to-point communication, suitable
   authentication algorithms include keyed Message Authentication Codes
   (MACs) based on symmetric encryption algorithms (e.g., DES) or on
   one-way hash functions (e.g., MD5 or SHA-1).  For multicast
   communication, one-way hash algorithms combined with asymmetric
   signature algorithms are appropriate, though performance and space
   considerations currently preclude use of such algorithms. Note that
   since authentication is optional, this algorithm may be "NULL".

3.3  Outbound Packet Processing

   In transport mode, the sender encapsulates the upper layer protocol
   information in the ESP header/trailer, and retains the specified IP
   header (and any IP extension headers in the IPv6 context).  In tunnel
   mode, the outer and inner IP header/extensions can be inter-related
   in a variety of ways.  The construction of the outer IP
   header/extensions during the encapsulation process is described in
   the Security Architecture document.  If there is more than one IPsec
   header/extension required by security policy, the order of the
   application of the security headers MUST be defined by security
   policy.





Kent & Atkinson             Standards Track                    [Page 10]

RFC 2406           IP Encapsulating Security Payload       November 1998


3.3.1  Security Association Lookup

   ESP is applied to an outbound packet only after an IPsec
   implementation determines that the packet is associated with an SA
   that calls for ESP processing.  The process of determining what, if
   any, IPsec processing is applied to outbound traffic is described in
   the Security Architecture document.

3.3.2  Packet Encryption

   In this section, we speak in terms of encryption always being applied
   because of the formatting implications.  This is done with the
   understanding that "no confidentiality" is offered by using the NULL
   encryption algorithm.  Accordingly, the sender:

       1. encapsulates (into the ESP Payload field):
               - for transport mode -- just the original upper layer
                 protocol information.
               - for tunnel mode -- the entire original IP datagram.
       2. adds any necessary padding.
       3. encrypts the result (Payload Data, Padding, Pad Length, and
          Next Header) using the key, encryption algorithm, algorithm
          mode indicated by the SA and cryptographic synchronization
          data (if any).
               - If explicit cryptographic synchronization data, e.g.,
                 an IV, is indicated, it is input to the encryption
                 algorithm per the algorithm specification and placed
                 in the Payload field.
               - If implicit cryptographic synchronication data, e.g.,
                 an IV, is indicated, it is constructed and input to
                 the encryption algorithm as per the algorithm
                 specification.

   The exact steps for constructing the outer IP header depend on the
   mode (transport or tunnel) and are described in the Security
   Architecture document.

   If authentication is selected, encryption is performed first, before
   the authentication, and the encryption does not encompass the
   Authentication Data field.  This order of processing facilitates
   rapid detection and rejection of replayed or bogus packets by the
   receiver, prior to decrypting the packet, hence potentially reducing
   the impact of denial of service attacks.  It also allows for the
   possibility of parallel processing of packets at the receiver, i.e.,
   decryption can take place in parallel with authentication.  Note that
   since the Authentication Data is not protected by encryption, a keyed
   authentication algorithm must be employed to compute the ICV.




Kent & Atkinson             Standards Track                    [Page 11]