IP Security (IPSec) provides secure data transmission over unprotected TCP/IP networks such as the Internet. IPSec operates on OSI layer 3, the network layer. It provides mutual authentication, integrity, nonrepudiation and confidentiality.
IPSec includes two protocols:
|Authentication Header (AH)||AH provides authenticity, non-repudiation, and integrity. AH: Does not provide confidentiality because the data in the packet is not encrypted. Provides protection against replay and man-in the-middle attacks. Uses a keyed hash based on all the bytes in the packet for the authentication information. Authenticates packets by digitally signing them. Uses IP Protocol 51.|
|Encapsulating Security Payload (ESP)||ESP provides all the security of AH plus confidentiality. ESP: Is the most commonly used IPSec protocol. Provides data encryption. Uses IP Protocol 50.|
Whether using AH or ESP there are two modes of operation that can be implemented with IPSec:
A Security Association (SA) is the establishment of shared security information between two network entities to support secure communications. An SA may include algorithm selection, cryptographic keys, and/or digital certificates. A Security Association can be established manually or automatically through a protocol called Internet Key Exchange (IKE). IKE helps to establish automatic Security Association (SAs). IKE:
Be aware of the following:
IPSec is most commonly used with L2TP VPNs.