Site home page
(news and notices)

Get alerts when Linktionary is updated

Book updates and addendums

Get info about the Encyclopedia of Networking and Telecommunicatons, 3rd edition (2001)

Download the electronic version of the Encyclopedia of Networking, 2nd edition (1996). It's free!

Contribute to this site

Electronic licensing info



IPSec (IP Security)

Related Entries    Web Links    New/Updated Information

Search Linktionary (powered by FreeFind)

Note: Many topics at this site are reduced versions of the text in "The Encyclopedia of Networking and Telecommunications." Search results will not be as extensive as a search of the book's CD-ROM.

IPSec has the goal of providing security services at the IP layer in the Internet protocol stack. Network communication is open to a variety of attacks as discussed under "Security" and "Hacking and Hackers." IPSec is designed to provide end systems with a method of authenticating one another and to protect data in transit from eavesdropping and attacks.

IPSec relies on cryptography to protect communications in a variety of environments, including communication links between computers on private networks, links between corporate sites, and links between dial-up users and corporate LANs. IPSec is also used between trading partners (extranet connections) and for electronic commerce applications.

IPSec is a tunneling protocol designed for both IPv4 and IPv6. Tunnels are "paths" between a pair of hosts, between a pair of security gateways (typically firewalls), or between a security gateway and a host. One tunnel can be created to carry all traffic, or multiple tunnels can be created between the same endpoints to support a variety of TCP services.

An important feature of IPSec is that it provides end-to-end security across IP networks. Lower-layer security protocols only provide protection across a single link. But IPSec should be differentiated from upper-layer session protocols such as SSL (Secure Sockets Layer). SSL has been a mainstay of secure communication, primarily between Web servers and clients. SSL is still the preferred method for short client transactions such as buying a book from But SSL only secures sessions, not the IP connections between hosts, as IPSec does. See "SSL (Secure Sockets Layer)" for more information.

IPSec has multiple modes and services, as outlined here:

  • Data origin authentication    Parts of the header of a packet are signed (run through a hash algorithm) so the receiver can trust that the packets are authentic.

  • Connectionless integrity    The signing process can assure the receiver that the packets have not been altered in transit.

  • Confidentiality    Entire packets or parts of packets can be encrypted to hide their contents. Encryption hides the IP header of the original packet during transit, so an outer packet is required with a header that is readable by intermediate forwarding systems.

  • Replay protection    By protecting/hiding vital packet information, IPSec protects against someone capturing packets and replaying them at a later time to gain access to a system.

  • Key management    IPSec uses IKE (Internet Key Exchange) to manage the exchange of security keys between parties.

IPSec has been slow in coming. Part of the reason is that it was originally designed for IPv6 and IPv6's release date has been moved many times. There are problems with interoperability between vendor products. Encryption is processor intensive and may not be supportable in some environments. But vendors such as Intel have developed security adapters that speed up IPSec processing by offloading encryption.

RFC 2401 (Security Architecture for the Internet Protocol, November 1998) specifies the base architecture for IPsec-compliant systems. RFC 2411 (IP Security Document Roadmap, November 1998) describes the interrelationship of IPSec documents. The following IETF working groups are developing IPSec and related protocols and extensions:

IETF IP Security (ipsec) Working Group

IETF IP Security Remote Access (ipsra) Working Group

IETF IP Security Policy (ipsp) Working Group

IETF Layer Two Tunneling Protocol Extensions (l2tpext) Working Group

Copyright (c) 2001 Tom Sheldon and Big Sur Multimedia.
All rights reserved under Pan American and International copyright conventions.