LLMpediaThe first transparent, open encyclopedia generated by LLMs

Internet Protocol Security

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Paul Mockapetris Hop 4
Expansion Funnel Raw 58 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted58
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Internet Protocol Security
NameInternet Protocol Security
DeveloperInternet Engineering Task Force
Introduced1995
OsLinux, Windows NT, FreeBSD, OpenBSD
StatusActive

Internet Protocol Security is a suite of protocols for securing Internet Protocol communications by authenticating and encrypting each IP packet of a data stream. Designed by the Internet Engineering Task Force working groups and standardized across Request for Comments, it is widely implemented in products from vendors such as Cisco Systems, Microsoft Corporation, Juniper Networks and integrated in operating systems like Linux and Windows NT. Deployments range from corporate Cisco Systems virtual private networks to cloud platforms by Amazon Web Services and Microsoft Azure.

Overview

IPsec provides network-layer security services for traffic between hosts, networks, and gateways, supporting confidentiality, integrity, and authentication. Implementations typically interoperate with routing systems such as Border Gateway Protocol and management frameworks like Simple Network Management Protocol. Use cases include site-to-site VPNs between branch offices of IBM and Goldman Sachs, remote-access VPNs for employees of Deloitte and Accenture, and secure overlays in cloud datacenters run by Google LLC and Oracle Corporation.

Architecture and Components

The architecture defines elements such as Security Associations, key management, and packet processing. Security Associations (SAs) are negotiated between peers using protocols like Internet Key Exchange and tracked in databases analogous to policy stores used by Microsoft Corporation Active Directory deployments and by network orchestration tools from Red Hat. Components include a Security Policy Database, a Security Association Database, and key management daemons commonly integrated with services from OpenSSL Project and StrongSwan. Gateways implemented on appliances from Palo Alto Networks, Fortinet, and Cisco Systems enforce policies at network edges and interoperate with identity systems such as RADIUS and TACACS+.

Protocols and Modes

Key management and encapsulation are handled by protocols and modes that determine packet treatment. Negotiation commonly uses Internet Key Exchange (IKEv1, IKEv2), which evolved in workgroups within the Internet Engineering Task Force and interacts with authentication frameworks like X.509 certificates issued by authorities such as DigiCert or Let’s Encrypt. Encapsulation options include transport mode and tunnel mode; tunnel mode is typical for site-to-site VPNs between devices from Juniper Networks and Cisco Systems, while transport mode is used for end-to-end host protections in environments managed by Red Hat and Canonical. Extensions and related protocols include Authentication Header and Encapsulating Security Payload.

Security Services and Algorithms

IPsec supports services such as confidentiality provided by symmetric ciphers (e.g., AES), integrity and authentication provided by hash algorithms (e.g., SHA-2 family), and key exchange provided by Diffie–Hellman groups. Implementations reference algorithm suites standardized in RFCs influenced by cryptographic research from institutions such as National Institute of Standards and Technology and academic groups at Massachusetts Institute of Technology and University of California, Berkeley. Authentication uses mechanisms including pre-shared keys and public-key infrastructures relying on X.509 and certificate chains issued by providers like GlobalSign. Hardware acceleration via Intel Corporation AES-NI and ARM Holdings crypto extensions improves throughput on servers sold by Dell Technologies and HP Inc..

Implementation and Deployment

IPsec is implemented in kernel and user-space components across vendors and open-source projects including StrongSwan, Openswan, LibreSwan, and the OpenBSD stack. Enterprises deploy IPsec on edge devices from Cisco Systems and Palo Alto Networks, and integrate with orchestration platforms such as Kubernetes for secure pod-to-pod overlays using controllers from HashiCorp and VMware. Mobile and remote-access solutions leverage client software from Microsoft Corporation, Apple Inc., and third-party vendors to connect to concentrators hosted by Amazon Web Services and on-premises clusters at organizations like Siemens.

Performance, Interoperability, and Limitations

Performance depends on cipher selection, hardware acceleration, and implementation quality; benchmarking by vendors such as Juniper Networks and research groups at Stanford University highlights trade-offs between latency and throughput. Interoperability challenges historically arose among implementations from Cisco Systems, Microsoft Corporation, and open-source projects, resolved through interoperability events organized by the Internet Engineering Task Force and industry consortia including the Open Networking Foundation. Limitations include complexity in policy management, impact on real-time applications studied by researchers at Carnegie Mellon University, and issues with NAT traversal that prompted extensions like NAT-T used in many commercial VPNs sold by Fortinet.

History and Standardization

IPsec originated from efforts in the early 1990s within the Internet Engineering Task Force and was formalized in a series of RFCs that matured alongside protocols such as Transmission Control Protocol and Border Gateway Protocol. Major milestones include the development of IKE (later IKEv2) driven by working groups within the Internet Engineering Task Force and adoption by vendors including Cisco Systems and Microsoft Corporation. Standardization work involved contributions from research institutions like MIT and standards bodies such as NIST, and was influenced by security incidents prompting wider adoption by enterprises like Goldman Sachs and governmental agencies in member states of North Atlantic Treaty Organization.

Category:Network protocols