Full version: IPSec message format

The IPSec protocol suite is a series of protocols developed by the IETF (Internet Engineering Task Force), which provides high-quality, interoperable, cryptography-based security for IP datagrams.

IPSec is implemented through two security protocols: authentication header AH (Authentication Header, protocol number 51) and encapsulating security payload ESP (Encapsulating Security Payload). AH can provide data source verification and data integrity check functions; ESP can not only provide data verification and integrity check functions, but also provide encryption functions for IP messages.

The IPSec protocol has two encapsulation modes:

• transmission mode. In transport mode, AH or ESP is inserted after the IP header but before all transport layer protocols, or before all other IPSec protocols.

• Tunnel mode. In tunnel mode, AH or ESP is inserted before the original IP header, and a new IP header is generated and placed before AH or ESP.

Transport mode is used for communication between two hosts, or between a host and a security gateway. In transport mode, the two devices that encrypt and decrypt messages must themselves be the original sender and final recipient of the message.

Usually, most of the data traffic between two security gateways (routers) is not the traffic of the security gateway itself. Therefore, the transmission mode is generally not used between security gateways, but the tunnel mode is always used. Messages encrypted at one security gateway can only be decrypted by another security gateway. Therefore, the IP packet must be tunnel-encapsulated, that is, a new IP header is added, and the tunnel-encapsulated IP packet is sent to another security gateway before it can be decrypted.

Message format

Figure 1 AH package and header format

Field	length	describe
Next Header	8 bits	Represents the next payload after the authentication header.
Payload Len	8 bits	The length of AH is reduced by 2, and 4 bytes is the counting unit. For example, with a 96-bit authentication value, the length would be "4" (i.e. 3 fixed 4 bytes for the header + 3 4 bytes for the ICV - 2). For IPv6, the total header length must be a multiple of 8 bytes.
RESERVED	16 bits	Reserved for future use. Must be set to 0 and ignored when receiving.
Security Parameters Index	32 bits	Used to identify SA to the message receiving end
Sequence Number Field	32 bits	Sequence number. Every time a message is sent, the count increases by 1. For example, every time a SA message is sent, the sequence number increases by 1.
Integrity Check Value-ICV	lengthen	The ICV field of the message has variable length. The length must be an integer multiple of 32 bits.

Figure 2 ESP encapsulation and header format

Field	length	describe
Security Parameters Index	32 bits	Security parameter index.
Sequence Number	32 bits	serial number.
Payload Data*	lengthen	Payload data (variable).
Padding	0–255 bytes	Populate the fields.
Pad Length	8 bits	Padding field length.
Next Header	8 bits	Next head.
Integrity Check Value-ICV	lengthen	verify the data.

Figure 3 Combined use of AH and ESP protocols

Internet Key Exchange Protocol IKE (Internet Key Exchange) is the signaling protocol of IPSEC.

Figure 4 IKE Header Format

Field	length	describe
IKE_AS Initiator's SPI	8 bytes	The sender is used to uniquely identify an IKE security association. This value cannot be set to 0.
IKE_AS Responder's SPI	8 bytes	The responder is used to uniquely identify an IKE security association. This value must be 0 for the initial IKE interaction message and cannot be 0 for other messages.
Next Payload	1 byte	Only the type of load that follows the head.
MjVer	4 bits	Identifies the maximum version of the IKE protocol used.
MnVer	4 bits	Identifies the minimum version of the IKE protocol used.
Exchange Type	1 byte	0-33: RESERVED 34: IKE_IN_INIT 35: IKE_AUTH 36: CREATE_CHILD_SA 37: INFORMATIONAL 38-239: RESERVED TO IANA 240-255: Reserved for private use.
Flags	1 byte	Specific options set in the message. If the Flag field is set, it means there are options. X(reserved) (bits 0-2) - Must be cleared to 0 when sending, ignored when receiving. I(nitiator) (bit 3 of Flags) - IKE_SA原始发送者在发送消息是必须将此位置1，源回应者发送的消息必须清零。 V(ersion) (bit 4 of Flags) - 标识转发者支持的版本比Major字段标识的版本更高 IKEv2版本的实现中，此比特必须置0，接收时忽略。 R(esponse) (bit 5 of Flags) - 标识此消息是对相同Message-ID的消息的一个回应消息。所有请求消息中此位需置0，所有回应消息置1。 X(reserved) (bits 6-7 of Flags) - 发送时需置0，接收时忽略。
Message ID	4 bytes	消息标识符，用来对请求消息和呼应消息的匹配，以便控制丢弃消息的重复发送。这在抑制重放攻击时对保障协议的安全性很关键。
Length	4 bytes	整个消息的长度（报文头+负荷），以字节为单位。
Next Payload	1 byte	标识消息中的下一个负载的类型。如果当前的负载是消息的最后一个，则此字段置0。 0: No Next Payload 1-32: RESERVED 33: Security Association (SA) 34: Key Exchange (KE) 35: Identification - Initiator (IDi) 36: Identification - Responder (IDr) 37: Certificate (CERT) 38: Certificate Request (CERTREQ) 39: Authentication (AUTH) 40: Nonce (Ni, Nr) 41: Notify (N) 42: Delete (D) 43: Vendor ID (V) 44: Traffic Selector - Initiator (TSi) 45: Traffic Selector - Responder (TSr) 46: Encrypted (E) 47: Configuration (CP) 48: Extensible Authentication (EAP) 49-127: RESERVED TO IANA 128-255: PRIVATE USE
C (Critical)	1 bit	如果发送者想让接收者在无法识别当前一个负载的Next Payload域是能够跳过此域，可将此位置0。 如果接收者能够识别负载的类型代码，则忽略此位。 负载类型为以下情况时，此位必须设置为0。 Security Association (SA) Key Exchange (KE) Identification - Initiator (IDi) Identification - Responder (IDr) Certificate (CERT) Certificate Request (CERTREQ) Authentication (AUTH) Nonce (Ni, Nr) Notify (N) Delete (D) Vendor ID (V) Traffic Selector - Initiator (TSi) Traffic Selector - Responder (TSr) Encrypted (E) Configuration (CP) Extensible Authentication (EAP) 注意，C比特应用于当前负载，而不是下一个负载。
RESERVED	7 bits	发送时必须置0，接收时忽略。
Payload Length	2 bytes	当前负载的长度，包括通用负载的头部，以字节为单位。