What is IPSec?
IPSec, is a framework of open standards (from IETF) that define policies for secure communication in a network. In addition, these standards also describe how to enforce these policies.
Using IPSec, participating peers (computers or machines) can achieve data confidentiality, data integrity, and data authentication at the network layer (i.e. Layer 3 of the Open Systems Interconnection 7-layer networking model). RFC 2401 specifies the base architecture for IPsec compliant systems. IPv6
This RFC says that “the goal of the architecture is to provide various security services for traffic at the IP layer, in both the IPv4 and IPv6 environments.” See also RFC 2402, RFC 2406 and RFC 2407 for more details on IPSec.
The main purpose of IPSec is to provide interoperable, high quality, cryptographically-based security for IPv4 and IPv6. It offers various security services at the IP layer and therefore, offers protection at this (i.e. IP) and higher layers. These security services are, for example, access control, connectionless integrity, data origin authentication, protection against replays (a form of partial sequence integrity), confidentiality (encryption), and limited traffic flow confidentiality.
Specifically, IPSec supports:
- Data Encryption Standard (DES) 56-bit and Triple DES (3DES) 168-bit symmetric key encryption algorithms in IPSec client software.
- Certificate authorities and Internet Key Exchange (IKE) negotiation. IKE is defined in RFC 2409.
- Encryption that can be deployed in standalone environments between clients, routers, and firewalls
- Environments where it’s used in conjunction with L2TP tunneling
From usage point of view, here are three main advantages of IPSec:
- Supported on various operating system platforms
- Right VPN solution, if you want true data confidentiality for your networks.
- Open standard, so interoperability between different devices is easy to implement
IPSec has two different modes: Transport mode (host-to-host) and Tunnel Mode (Gateway-to-Gateway or Gateway-to-host). In transport mode, the payload is encapsulated (header is left intact) and the end-host (to which, the IP packet is addressed) decapsulates the packet. In the tunnel mode, the IP packet is entirely encapsulated (with a new header). The host (or gateway), specified in the new IP header, decapsulates the packet. Note that, in tunnel mode, there is no need for client software to run on the gateway and the communication between client systems and gateways are not protected.
IPSec standard supports the following features:
- AH (Authentication Header) that provides authenticity guarantee for transported packets. This is done by check-summing the packages using a cryptographic algorithm.
- ESP (Encapsulating Security Payload) that provides encryption of packets.
- IPcomp (IP payload compression) that provides compression before a packet is encrypted.
- IKE (Internet Key Exchange) provides the (optional) means to negotiate keys in secrecy.
It also provides the following components:
- Security Policy Database (SPD) This manages security policy (SP) and selector that correlates SP with actual data traffic.
- Security Association Database (SAD) it contains Security Association (SA), parameters necessary for expressing IPsec connections and applying IPsec.
IPv6 IPSec traditionally implements secure remote access connections using virtual private network (VPN) tunneling protocols such as Layer 2 Tunneling Protocol (L2TP). Note that IPSec is not really a VPN mechanism. In fact, the use of IPSec is changing n the last few years, since IPSec is moving from the WAN into the LAN to secure internal network traffic against eavesdropping and modification.
When two computers (peers) want to communicate using IPSec, they mutually authenticate with each other first and then negotiate how to encrypt and digitally sign traffic they exchange. These IPSec communication sessions are called security associations (SAs).
Native Support for IPSEC
The term Native IPsec is used to describe the implementation scheme of IPsec integration into the native IP (implementation). It requires access to the IP source code and applies to both hosts and security gateways. Native IPsec support is only available in Linux 2.6.x kernels. Here the (OS) kernel maintains the Security Policy Database (SPD). This SPD defines which traffic is to be encrypted, which mode (transport and tunnel) and the end-points.
IPSec in IPv6 and why it’s important
IPsec is a mandatory component for IPv6 (This means that any implementation of IPv6 is required to support IPsec when it is requested; however IPsec is not necessarily used in every IPv6 connection unless it is explicitly enabled. – clarification contributed by one of our readers named ‘Bennett Haselton’), and therefore, the IPsec security model is required to be supported for all IPv6 implementations in near future. In IPv6, IPsec is implemented using the AH authentication header and the ESP extension header. Since at the present moment, IPv4 IPsec is available in nearly all client and server OS platforms, the IPSec IPv6 advanced security can be deployed by IT administrators immediately, without changing applications or networks. The importance of IPsec in IPv6 has grown in recent years as U.S. Department of Defense and federal government have mandates to buy IPv6-capable systems and to transition to IPv6-capable networks within a few years,