Note: Many topics at this site are reduced versions of the text in "The Encyclopedia of Networking and Telecommunications." Search results will not be as extensive as a search of the book's CD-ROM.

IPSec has the goal of providing security services at the IP layer in the Internet protocol stack. Network communication is open to a variety of attacks as discussed under "Security" and "Hacking and Hackers." IPSec is designed to provide end systems with a method of authenticating one another and to protect data in transit from eavesdropping and attacks.

IPSec relies on cryptography to protect communications in a variety of environments, including communication links between computers on private networks, links between corporate sites, and links between dial-up users and corporate LANs. IPSec is also used between trading partners (extranet connections) and for electronic commerce applications.

IPSec is a tunneling protocol designed for both IPv4 and IPv6. Tunnels are "paths" between a pair of hosts, between a pair of security gateways (typically firewalls), or between a security gateway and a host. One tunnel can be created to carry all traffic, or multiple tunnels can be created between the same endpoints to support a variety of TCP services.

An important feature of IPSec is that it provides end-to-end security across IP networks. Lower-layer security protocols only provide protection across a single link. But IPSec should be differentiated from upper-layer session protocols such as SSL (Secure Sockets Layer). SSL has been a mainstay of secure communication, primarily between Web servers and clients. SSL is still the preferred method for short client transactions such as buying a book from Amazon.com. But SSL only secures sessions, not the IP connections between hosts, as IPSec does. See "SSL (Secure Sockets Layer)" for more information.

IPSec has multiple modes and services, as outlined here:

• Data origin authentication    Parts of the header of a packet are signed (run through a hash algorithm) so the receiver can trust that the packets are authentic.


• Connectionless integrity    The signing process can assure the receiver that the packets have not been altered in transit.


• Confidentiality    Entire packets or parts of packets can be encrypted to hide their contents. Encryption hides the IP header of the original packet during transit, so an outer packet is required with a header that is readable by intermediate forwarding systems.


• Replay protection    By protecting/hiding vital packet information, IPSec protects against someone capturing packets and replaying them at a later time to gain access to a system.


• Key management    IPSec uses IKE (Internet Key Exchange) to manage the exchange of security keys between parties.

IPSec has been slow in coming. Part of the reason is that it was originally designed for IPv6 and IPv6's release date has been moved many times. There are problems with interoperability between vendor products. Encryption is processor intensive and may not be supportable in some environments. But vendors such as Intel have developed security adapters that speed up IPSec processing by offloading encryption.

RFC 2401 (Security Architecture for the Internet Protocol, November 1998) specifies the base architecture for IPsec-compliant systems. RFC 2411 (IP Security Document Roadmap, November 1998) describes the interrelationship of IPSec documents. The following IETF working groups are developing IPSec and related protocols and extensions:

Copyright (c) 2001 Tom Sheldon and Big Sur Multimedia.
All rights reserved under Pan American and International copyright conventions.