IPSec ESP 报文格式

IPSec ESP 报文格式
IPSec通过认证头AH（Authentication Header）和封装安全载荷ESP（Encapsulating Security Payload）这两个安全协议来实现。
其中，ESP除可提供数据验证和完整性校验功能外，还提供对IP报文的加密功能。
一、IPSec ESP封装及头部格式

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|               Security Parameters Index (SPI)                 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                      Sequence Number                          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Payload Data* (variable)                   |
~                                                               ~
|                                                               |
+               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|               |     Padding (0-255 bytes)                     |
+-+-+-+-+-+-+-+-+               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                               |  Pad Length   | Next Header   |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|         Integrity Check Value-ICV   (variable)                |
+                                                               +
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

二、IPSec ESP封装及头部格式解释

字段	长度	描述
Security Parameters Index	32比特	安全参数索引。
Sequence Number	32比特	序列号。
Payload Data*	变长	有效载荷数据（可变）。
Padding	0–255字节	填充字段。
Pad Length	8比特	填充字段长度。
Next Header	8比特	下一个头。
Integrity Check Value-ICV	变长	验证数据。

三、IPsec ESP报文示例

Frame 4: 174 bytes on wire (1392 bits), 174 bytes captured (1392 bits)
    Arrival Time: Mar  9, 2005 18:43:22.031525000
    Epoch Time: 1110365002.031525000 seconds
    [Time delta from previous captured frame: 2.002245001 seconds]
    [Time delta from previous displayed frame: 2.002245001 seconds]
    [Time since reference or first frame: 2.022646000 seconds]
    Frame Number: 4
    Frame Length: 174 bytes (1392 bits)
    Capture Length: 174 bytes (1392 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:ah:esp]
Ethernet II, Src: HuaweiTe_1d:64:0d (00:e0:fc:1d:64:0d), Dst: HuaweiTe_01:fb:d1 (00:e0:fc:01:fb:d1)
    Destination: HuaweiTe_01:fb:d1 (00:e0:fc:01:fb:d1)
        Address: HuaweiTe_01:fb:d1 (00:e0:fc:01:fb:d1)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: HuaweiTe_1d:64:0d (00:e0:fc:1d:64:0d)
        Address: HuaweiTe_1d:64:0d (00:e0:fc:1d:64:0d)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 10.6.7.8 (10.6.7.8), Dst: 10.6.7.10 (10.6.7.10)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 160
    Identification: 0x029a (666)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 255
    Protocol: AH (51)
    Header checksum: 0xa073 [correct]
        [Good: True]
        [Bad: False]
    Source: 10.6.7.8 (10.6.7.8)
    Destination: 10.6.7.10 (10.6.7.10)
Authentication Header
    Next Header: ESP (0x32)
    Length: 24
    AH SPI: 0x2ff1ca42
    AH Sequence: 1
    AH ICV: f9c2e208697acabb0c81f575
Encapsulating Security Payload
    ESP SPI: 0xaa40dd69
    ESP Sequence: 1

相关文章

发表评论

热门文章

文章分类

最新评论