Networking / Beginners

IPSEC: The Protocols

IPsec is a security tunneling protocol, defining a mechanism that allows a node to encrypt and/or authenticate packets and encapsulate the secured packets (which may now be literally indecipherable, having been encrypted) into new packets. Figure below illustrates the basic idea behind IPsec and other security tunneling protocols.

IPsec depends on the use of security gateways , which encapsulate IP packets on behalf of their clients. In Figure below, the security gateway labeled " X " serves, among others, hosts A' , B' , and C'; " Y " serves hosts A, B, and C. The PC off on the side has its own, software, security gateway. In this example, the tunnel from X to Y carries all secured traffic between the two pictured Internets. In this case, each security gateway integrates all traffic for its local network and encrypts and/or authenticates all of it between itself and the security gateway at the other end. If all traffic is being encrypted (a good bet), then any attacker sitting inside the public Internet could intercept these packets but would get relatively little information from them. At best, the attacker would discover that there is a secure tunnel between X and Y, but she would likely learn only how much traffic was being sent between the two security gateways.

Security tunneling across a hostile network

The security gateways create secure tunnels by accepting IP packets sent from one node (A) to another (B). A sends off the packets as if they were going to be delivered directly to B; the security gateway X then takes those packets (along with any others from the same network) and treats them as raw data to be sent to security gateway Y. The packets sent by A are shown as open envelopes to signify that they have not been encrypted, while the packets sent from X are shown as sealed envelopes to indicate that they contain the encrypted packets sent from A.

The original IPsec specifications define security protocols for the Authentication Header (AH) and the Encapsulating Security Payload (ESP) IP options, as header options (for IPv4) or header extensions (for IPv6). As their names imply, AH provides an authentication mechanism, whereas ESP provides an encryption ( " encapsulated security " ) mechanism for privacy.

[Previous] [Contents] [Next]