IPSec

IPSec stands for internet protocol security. IPSec was developed by the Internet Engineering Task Force(IETF) and is implemented at the network layer (layer 3) of the OSI network model. IPSec is a collection of security measures that address data privacy, integrity, authentication, and key management, in addition to tunneling. IPSec encrypts all data packets. IPSec is used for VPN services.

IPSec ensures that IP packets are confidential and authentic. IPX and other network layer protocols are not supported. Only IP is supported. The original IP packet along with security headers and authentication information are encapsulated into a new IP packet. The security headers are used to decrypt the data on the receiving end. Several encryption schemes and security functions may be used.

IPSec is defined by RFCs 1825 through 1829. RFC 1825, 1826, and 1827 are replaced by RFCs 2401, 2402, and 2406 respectively.

IPSEC uses one of more of the following:

  • Authentication Headers (AH) - RFC 2402 - Provides message integrity and authentication.
  • Encapsulation Security Protocol (ESP) header - RFC 2406 - Provides encryption and authentication.
  • Key Exchange (ISAKMP) - RFC 2408 - Provides key exchange.

Since IPSEC is designed to be able to use various security protocols, it uses Security Associations (SA) to specify the protocols to be used. SA is a database record which specify security parameters controlling security operations. They are referenced by the sending host and established by the receiving host. An index parameter called the Security Parameters Index (SPI) is used. SAs are in one direction only and a second SA must be established for the transmission to be bi-directional.