Data encryption and authentication — IPSec

To participate in a virtual private network (VPN), a host must encrypt and authenticate individual IP packets between itself and another communicating host. IPSec is one of several mechanisms for achieving this, and one of the more versatile.

IPSec is defined by the IPSec working group of the IETF. It provides authentication, integrity, and data privacy between any two IP entities. Management of cryptographic keys and Security Associations can be either manual or dynamic using an IETF-defined key management protocol called Internet Key Exchange (IKE).

IPSec provides flexible building blocks that can support a variety of configurations. Because an IPSec Security Association can exist between any two IP entities, it can protect a segment of the path or the entire path. The main advantage of using IPSec for data encryption and authentication is that IPSec is implemented at the IP layer. Consequently, any network traffic that is carried by an IP network is eligible to use IPSec services without any special changes to higher level protocols that are used by applications. However, if the system is using any of these alternate security protocols to secure specific applications, IP filtering can be used to avoid the overhead of multiple security protocols. For example, you might want to exclude web traffic (based on the well-known secure port of the web server, port 443) from IPSec coverage because you would like to use SSL.

IPSec enables the creation of VPNs. A VPN enables an enterprise to extend its network across a public network, such as the Internet, through a secure tunnel using Security Associations. IPSec VPNs enable the secure transfer of data over the public Internet for same-business and business-to-business communications, and protect sensitive data within an enterprise's internal network.

IPSec uses IP filtering to determine which traffic should be protected by IPSec. A special type of filter action specifies to permit the traffic, but only with IPSec protection. The IP filters represent IP security policy to the stack by specifying the traffic that requires IPSec protection. The filters are also used in locating the outbound IPSec Security Association, and for verifying that inbound traffic is received using the correct Security Association.

The IETF has standardized the IPSec protocol suite and key management schemes in a series of IPSec RFCs. For more information on these RFCs, see Related protocol specifications.

IPSec has three major components:

• IP Authentication Header (AH)
• IP Encapsulating Security Payload (ESP)
• Internet Key Exchange (IKE)