ESP

Encapsulating Security Payload

A core protocol within the IPsec suite that provides confidentiality, data origin authentication, connectionless integrity, and optional anti-replay protection for IP packets. Unlike Authentication Header (AH), which only authenticates packets, ESP can both encrypt and authenticate them, making it the more widely used of the two in modern secure network deployments.

ESP works by encapsulating the original IP packet’s payload—such as TCP, UDP, or other transport-layer data—inside an encrypted envelope. This encryption ensures that only authorized parties can read the contents, while authentication mechanisms confirm the integrity of the data and the legitimacy of its sender. Encryption is typically performed using algorithms such as AES, while authentication often relies on HMAC combined with hash functions like SHA-256.

ESP supports two primary modes of operation:

• Transport mode: Encrypts and/or authenticates only the payload of the IP packet, leaving the original IP header intact. This mode is often used for host-to-host communications.
• Tunnel mode: Encrypts and/or authenticates the entire IP packet, then adds a new IP header for delivery. This mode is commonly used in VPNs and network-to-network security gateways.

Because it can provide both encryption and authentication in one operation, ESP is favored in most IPsec configurations, especially for Virtual Private Networks (VPNs), secure site-to-site links, and encrypted remote access solutions.

Additional Acronyms for ESP

• ESP - Email Service Provider