LLMpediaThe first transparent, open encyclopedia generated by LLMs

IPsec

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: IETF Hop 3
Expansion Funnel Raw 61 → Dedup 10 → NER 6 → Enqueued 5
1. Extracted61
2. After dedup10 (None)
3. After NER6 (None)
Rejected: 4 (not NE: 4)
4. Enqueued5 (None)
Similarity rejected: 2
IPsec
NameIPsec
DesignerInternet Engineering Task Force
Introduced1995
DomainInternet Protocol
StatusDeployed

IPsec is a suite of protocols for securing Internet Protocol communications by authenticating and encrypting each IP packet of a data stream. It enables virtual private networks and secure host-to-host, network-to-network, and gateway-to-gateway tunnels used by organizations such as United States Department of Defense, European Commission, and commercial providers. IPsec integrates with standards bodies and implementations across projects including OpenSSL, FreeBSD, and Cisco Systems platforms.

Overview

IPsec provides packet-level security services including Authentication and Encryption for IPv4 and IPv6 payloads, supporting transport and tunnel modes. It defines components such as the Internet Key Exchange protocol for key management and Security Associations for policy negotiation, interoperating with routers from Juniper Networks and firewalls from Palo Alto Networks. Widely referenced in documents from the Internet Engineering Task Force and implemented in operating systems like Linux kernel and Microsoft Windows, IPsec underpins many virtual private network deployments and site-to-site connectivity strategies.

History and Development

Work on IPsec emerged from efforts within the Internet Engineering Task Force in the early 1990s to secure Internet Protocol traffic following concerns raised by incidents such as the Morris worm and guidance from agencies like the National Institute of Standards and Technology. Key milestones include publication of the original RFCs and subsequent revisions driven by working groups involving contributors from Cisco Systems, Sun Microsystems, and academic institutions including Massachusetts Institute of Technology and Stanford University. Adoption accelerated as vendors and standards organizations such as the Internet Assigned Numbers Authority and International Telecommunication Union aligned on protocol numbers and interoperable profiles.

Architecture and Protocols

The IPsec architecture uses Security Associations (SAs), the Authentication Header (AH), and the Encapsulating Security Payload (ESP) to provide varying security properties. Protocols for key management evolved from manual keying to automated schemes like Internet Key Exchange versions including IKEv1 and IKEv2, standardized through IETF working groups. IPsec interacts with lower-layer technologies such as Point-to-Point Protocol and higher-level frameworks like Transport Layer Security in complex deployments, and supports crypto suites specified by organizations like National Institute of Standards and Technology. Interoperability matrices often cite vendors including Cisco Systems, Huawei Technologies, and Fortinet.

Security Concepts and Cryptography

IPsec security draws on symmetric algorithms such as Advanced Encryption Standard and hashing functions like SHA-256, and uses public-key cryptography for authentication and key exchange including Diffie–Hellman key exchange groups. Authentication modalities incorporate digital certificates from X.509 chains and pre-shared keys, integrating with identity systems like Kerberos and RADIUS. Security properties advertised by IPsec include confidentiality, integrity, anti-replay protection, and endpoint authentication, informed by guidance from agencies including National Security Agency and European Union Agency for Cybersecurity.

Implementations and Interoperability

Multiple open-source and commercial implementations exist, including OpenBSD's stack, the WireGuard project as a comparative VPN approach, and vendor solutions from Cisco Systems, Juniper Networks, Microsoft, and Apple Inc.. Kernel-level implementations in Linux kernel via XFRM and userspace suites such as strongSwan, Openswan, and Libreswan facilitate integration with orchestration tools like Ansible and Kubernetes for cloud deployments by providers including Amazon Web Services and Google Cloud Platform. Interoperability testing often references events such as IETF plugfests and certification programs by entities like Common Criteria labs.

Deployment and Use Cases

IPsec is used for site-to-site VPNs connecting branch offices of enterprises like Walmart and Deutsche Bank, remote access by employees of firms including IBM and Accenture, and secure tunnels for telecommunications carriers such as AT&T and Verizon Communications. Government and defense networks deploy IPsec for classified and unclassified traffic segregation in systems procured under standards from agencies such as the Department of Defense and NATO. Cloud providers and managed security service providers incorporate IPsec for hybrid cloud connectivity, SD-WAN overlays, and IoT gateways linking to platforms like Azure and AWS IoT.

Vulnerabilities and Mitigations

IPsec implementations have faced vulnerabilities including algorithm downgrade attacks, weak pre-shared keys, and side-channel issues in cryptographic libraries such as OpenSSL and LibreSSL. Notable mitigations include adopting stronger cipher suites recommended by National Institute of Standards and Technology, enforcing certificate-based authentication with robust Public Key Infrastructure practices, patching kernel and firmware flaws in systems from Cisco Systems and Juniper Networks, and using protocol extensions in IKEv2 to resist denial-of-service and replay attacks. Operational best practices reference guidance from CERT Coordination Center and compliance frameworks like ISO/IEC 27001 to maintain secure configurations and incident response preparedness.

Category:Network security protocols