IPsec

IPsec. Internet Protocol Security is a suite of protocols designed to secure Internet Protocol communications by authenticating and encrypting each IP packet in a data stream. It provides security at the network layer, protecting data transmitted between hosts, between security gateways, or between hosts and gateways. The framework is widely used to implement Virtual Private Networks and is integral to many secure communication standards.

Overview

The development was driven by the need for standardized security within the architecture of the Internet Protocol Suite. Early work within the Internet Engineering Task Force led to a series of Request for Comments documents that defined its core components. It operates transparently to applications, providing security services such as confidentiality, data integrity, and authentication for traffic at the IP layer. This makes it a versatile solution for securing communications across untrusted networks like the public Internet.

Security architecture

The framework is built around several key components that work together to establish secure associations. The Authentication Header provides connectionless integrity and data origin authentication for IP datagrams, protecting against replay attacks. The Encapsulating Security Payload provides confidentiality, along with optional authentication and integrity. The Internet Key Exchange protocol, specifically versions like IKEv1 and IKEv2, is responsible for negotiating security parameters and establishing shared cryptographic keys between peers. These parameters are defined within a Security Association, managed by a database.

Modes of operation

Two primary modes define how the protocols are applied to IP traffic. Transport mode secures communications between two end hosts, encapsulating the payload of the original IP packet while leaving the original header intact. This mode is typically used for end-to-end encryption between devices like servers and clients. Tunnel mode encapsulates the entire original IP packet within a new packet with a new header, and is commonly used to create secure tunnels between network gateways, such as in site-to-site VPN configurations. The choice of mode impacts the visibility of the original routing information.

Protocols and standards

The suite is defined by a large collection of Internet Standards published as Request for Comments. Core protocol specifications include RFC 4301 for the overall architecture, RFC 4302 for the Authentication Header, and RFC 4303 for the Encapsulating Security Payload. Key management is primarily handled by IKEv2, defined in RFC 7296, which itself relies on protocols like Internet Security Association and Key Management Protocol. Cryptographic algorithms used, such as Advanced Encryption Standard for encryption and Secure Hash Algorithm for integrity, are specified in separate RFCs to allow for algorithm agility.

Implementation and deployment

It is implemented in most modern operating systems, including Microsoft Windows, Linux kernels, macOS, and various BSD distributions. It is also a fundamental feature of many network security appliances from vendors like Cisco Systems, Juniper Networks, and Palo Alto Networks. Common deployment scenarios include securing remote access for employees via VPN clients, connecting branch offices over the Internet, and enabling secure cloud computing connectivity. Interoperability between different vendors' implementations is a key focus of the IETF standards process. Category:Internet protocols Category:Cryptographic protocols Category:Network layer protocols