March 5, 2002
Practical Aspects of Modern Cryptography
72
IPSEC ESP and NAT
nCan change IP header
in special cases only
nSpecial TCP/UDP
ignores pseudo header used in checksum
calculation
nPort information
encrypted!
nCan’t change ESP
header because integrity hash coverage
Data
TCP Hdr
ESP Hdr
Orig IP
Hdr
ESP
Trailer
ESP Auth
encrypted
integrity hash coverage