IPsec (Internet Protocol Security) is a framework for a set of protocols for security at the network or packet processing layer of network communication.
Earlier security approaches have inserted security at the Application layer of the communications model. IPsec is said to be especially useful for implementing virtual private networks and for remote user access through dial-up connection to private networks. A big advantage of IPsec is that security arrangements can be handled without requiring changes to individual user computers. Cisco has been a leader in proposing IPsec as a standard (or combination of standards and technologies) and has included support for it in its network routers.
IPsec provides two choices of security service: Authentication Header (AH), which essentially allows authentication of the sender of data, and Encapsulating Security Payload (ESP), which supports both authentication of the sender and encryption of data as well. The specific information associated with each of these services is inserted into the packet in a header that follows the IP packet header. Separate key protocols can be selected, such as the ISAKMP/Oakley protocol.
The IP Security (IPsec) architecture comprises a suite of protocols developed to ensure the integrity, confidentiality and authentication of data communications over an IP network. While the flexibility of the IPsec standards has drawn the interest of the commercial sector, this same flexibility has resulted in the identification of several problems with the protocols because of their complexity. As with other security systems, poor maintenance can easily lead to a critical system failure.
IPsec may be used in three different security domains:
Virtual private networks
At this time, IPsec is predominately used in VPNs. When used in application-level security or routing security, IPsec is not a complete solution and must be coupled with other security measures to be effective, hindering its deployment in these domains
How IPSec works?
IPsec has two modes of operation:
When operating in transport mode, the source and destination hosts must directly perform all cryptographic operations. Encrypted data is sent through a single tunnel that is created with L2TP (Layer 2 Tunneling Protocol).Data (ciphertext) is created by the source host and retrieved by the destination host. This mode of operation establishes end-to-end security.
When operating in tunnel mode, special gateways perform cryptographic processing in addition to the source and destination hosts. Here, many tunnels are created in series between gateways, establishing gateway-to-gateway security. When using either of these modes, it's important to provide all gateways with the ability to verify that a packet is real and to authenticate the packet at both ends. Any invalid packets must be dropped.
Two types of data packet encodings (DPE) are required in IPsec.
Authentication header (AH)
Encapsulating security payload (ESP) DPEs.
These encodings offer network-level security for the data. The AH provides authenticity and integrity of the packet. The authentication is made available through keyed hash functions, also known as MACs (message authentication codes). This header also prohibits illegal modification and has the option of providing antireplay security. The AH can establish security between multiple hosts, multiple gateways, or multiple hosts and gateways, all implementing AH. The ESP header provides encryption, data encapsulation and data confidentiality. Data confidentiality is made available through symmetric key encryption.
During its journey through the various tunnels and gateways, additional headers are added to the packet. On each pass through a gateway, a datagram is wrapped in a new header. Included in this header is the security parameter index (SPI). The SPI specifies the algorithms and keys that were used by the last system to view the packet. The payload is also protected in this system because any change or error in the data will be detected, causing the
receiving party to drop the packet. The headers are applied at the beginning of each tunnel and then verified and removed at the end of each tunnel. This method prevents the buildup of unnecessary overhead.
An important part of IPsec is the security association (SA). The SA uses the SPI number that is carried in the AH and ESP to indicate which SA was used for the packet. An IP destination address is also included to indicate the endpoint: This may be a firewall, router or end user. A Security Association Database (SAD) is used to store all SAs that are used.A security policy is used by the SAD to indicate what the router should do with the packet. Three examples include dropping the packet altogether, dropping only the SA, or substituting a different SA. All of the security policies in use
are stored in a security policy database.
Security Architecture for the Internet Protocol — RFC 2401