Encapsulating Security Payload (original) (raw)

Last Updated : 10 Apr, 2026

Encapsulating Security Payload (ESP) is a security protocol of IPsec that provides confidentiality, integrity, and authentication for data transmitted over a network. It encrypts the data being sent so that unauthorized users cannot read or modify it during transmission. It is widely used in Virtual Private Networks (VPNs) to ensure secure communication over an insecure network.

• Provides data confidentiality by encrypting the payload.
• Ensures data integrity by preventing modification.
• Supports authentication to verify the sender’s identity.
• Protects against replay attacks using sequence numbers.

Components

According to the diagram, ESP contains the following components:

• **Security Parameter Index (SPI): Identifies the security association between sender and receiver so that the correct keys and algorithms are used for encryption and authentication.
• **Sequence Number: A unique number assigned to each packet to prevent replay attacks by ensuring packets are not duplicated or reused by attackers.
• **Payload Data: The actual data that needs to be transmitted securely. This part is encrypted to maintain confidentiality.
• **Padding: Extra bits added to the payload to ensure proper block size for encryption algorithms and to hide the actual length of the data.
• **Padding Length: Specifies the length of the padding added to the payload so the receiver knows how much padding to remove.
• **Next Header: Identifies the type of data contained in the payload, helping the receiver process the packet correctly.
• **Authentication Data: Contains a hash value used to verify data integrity and authenticity, ensuring the packet has not been modified during transmission.

Working

• **Data Preparation: The sender selects the data (payload) that needs to be transmitted securely over the network.
• **Encapsulation: ESP encapsulates the original data by adding an ESP header and trailer to the payload.
• **Encryption: The payload data is encrypted using strong encryption algorithms so that the information cannot be understood by unauthorized users.
• **Authentication: A hash value is generated to ensure that the data has not been modified during transmission.
• **Packet Transmission: The encrypted packet is transmitted through the IP network securely.
• **Verification: The receiver verifies the authenticity and integrity of the received packet.
• **Decryption: After successful verification, the encrypted data is decrypted to obtain the original information.
• **Secure Communication: The receiver accesses the original payload securely, ensuring protection from data theft or tampering.

Modes in ESP

Encapsulating Security Payload supports two modes:

1. Tunnel Mode:

In this mode, the entire original IP packet (header + payload) is encrypted and encapsulated inside a new packet with a new outer IP header, providing higher security.

• A new outer IP header is created to hide the original sender and receiver details.
• Provides complete protection to both payload and original IP header.
• Commonly used in VPNs and gateway-to-gateway communication for strong security.

2. Transport Mode:

In this mode, only the payload of the IP packet is encrypted, while the original IP header remains visible.

• Original IP header is not encrypted, so routing information remains exposed.
• Requires less processing compared to tunnel mode, resulting in faster communication.
• Commonly used for end-to-end communication between two hosts.

Advantages

• **Provides Confidentiality: Encrypts the payload data to prevent unauthorized users from reading sensitive information.
• **Ensures Data Integrity: Uses authentication techniques to detect any modification in the transmitted data.
• **Protection Against Replay Attacks: Sequence numbers help identify and block duplicate or malicious packets.
• **Supports Strong Encryption Algorithms: Works with secure algorithms like AES to provide high-level security.

Disadvantages

• **Increased Processing Overhead: Encryption and authentication require additional computational resources.
• **Complex Configuration: Proper setup of keys and security parameters can be difficult to manage.
• **Compatibility Issues: Some network devices such as firewalls may block ESP traffic.
• **Increased Packet Size: Additional headers and authentication data increase the packet size, affecting performance.