Security Payload (ESP).
Authentication Header (AH)
The AH protocol provides authentication for the data and the IP header of a packet using a one-way hash for packet authentication. It works like this: The sender generates a one-way hash; then the receiver generates the same one-way hash. If the packet has changed in any way, it won’t be authenticated and will be dropped. So basically, IPSec relies upon AH to guarantee authenticity. AH checks the entire packet, but it doesn’t offer any encryption services. This is unlike ESP, which only provides an integrity check on the data of a packet.
Encapsulating Security Payload (ESP)
It won’t tell you when or how the NASDAQ’s gonna bounce up and down like a superball, but ESP will provide confidentiality, data origin authentication, connectionless integrity, antireplay service, and limited traffic-flow confidentiality by defeating traffic flow analysis. Which is almost as good! Anyway, there are four components of ESP:
Confidentiality Confidentiality is provided through the use of symmetric encryption algorithms like DES or 3DES. Confidentiality can be selected separately from all other services, but the confidentiality selected must be the same on all endpoints of your VPN.
Data origin authentication and connectionless integrity Data origin authentication and
connectionless integrity are joint services offered as an option in conjunction with the likewise
Anti-replay service You can only use the anti-replay service if data origin authentication is selected. Anti-replay election is based upon the receiver, meaning the service is effective only if the receiver checks the sequence number. In case you were wondering, a replay attack is when a hacker nicks a copy of an authenticated packet and later transmits it to the intended destination. When the duplicate, authenticated IP packet gets to the destination, it can disrupt services and other ugly stuff. The Sequence Number field is designed to foil this type of attack.
Traffic flow For traffic flow confidentiality to work, you have to have tunnel mode selected. And it’s most effective if it’s implemented at a security gateway where tons of traffic amasses— a situation that can mask the true source-destination patterns of bad guys trying to breach your network’s security.