All Topics  
IPsec

 

 
   Email Print
   Bookmark   Link
 

 

IPsec
 
 
  Topics IPsec Topic Home

Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol
Internet protocol

Internet protocol may refer to:*The Internet Protocol, a specific protocol implementation in the Internet protocol suite*The Internet protocol suite, a set of communications protocols that are used for the Internet...
 (IP) communications by authenticating
Authentication

Authentication is the act of establishing or confirming something as authentic, that is, that claims made by or about the subject are true....
 and encrypting
Encryption

In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key ....
 each IP packet of a data stream
Data stream

In telecommunications and computing, a data stream is a sequence of encoder coherent Signalling s used to Transmission or receive information that is in transmission ....
. IPsec also includes protocols for establishing mutual authentication
Mutual authentication

Mutual authentication or two-way authentication refers to two parties authenticating each other suitably. In technology terms, it refers to a client or user authenticating themselves to a server and that server authenticating itself to the user in such a way that both parties are assured of the others' identity....
 between agents at the beginning of the session and negotiation of cryptographic key
Key (cryptography)

In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would have no result....
s to be used during the session. IPsec can be used to protect data flows between a pair of hosts (e.g. computer user
User (computing)

In computing, a user is a person who uses a computer or Internet service. A user may have a user account that identifies the user by a username , screenname , or "handle", which is derived from the identical Citizen's Band radio term....
s or server
Server (computing)

A server is a computer program that provides services to other computer programs , in the same or other computer. The physical computer that runs a server program is also often referred to as server....
s), between a pair of security gateways (e.g.






Discussion
Ask a question about 'IPsec'
Start a new discussion about 'IPsec'
Answer questions from other users
Full Discussion Forum



Encyclopedia


Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol
Internet protocol

Internet protocol may refer to:*The Internet Protocol, a specific protocol implementation in the Internet protocol suite*The Internet protocol suite, a set of communications protocols that are used for the Internet...
 (IP) communications by authenticating
Authentication

Authentication is the act of establishing or confirming something as authentic, that is, that claims made by or about the subject are true....
 and encrypting
Encryption

In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key ....
 each IP packet of a data stream
Data stream

In telecommunications and computing, a data stream is a sequence of encoder coherent Signalling s used to Transmission or receive information that is in transmission ....
. IPsec also includes protocols for establishing mutual authentication
Mutual authentication

Mutual authentication or two-way authentication refers to two parties authenticating each other suitably. In technology terms, it refers to a client or user authenticating themselves to a server and that server authenticating itself to the user in such a way that both parties are assured of the others' identity....
 between agents at the beginning of the session and negotiation of cryptographic key
Key (cryptography)

In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would have no result....
s to be used during the session. IPsec can be used to protect data flows between a pair of hosts (e.g. computer user
User (computing)

In computing, a user is a person who uses a computer or Internet service. A user may have a user account that identifies the user by a username , screenname , or "handle", which is derived from the identical Citizen's Band radio term....
s or server
Server (computing)

A server is a computer program that provides services to other computer programs , in the same or other computer. The physical computer that runs a server program is also often referred to as server....
s), between a pair of security gateways (e.g. router
Router

A router is a Computer network device whose software and hardware are usually tailored to the tasks of routing and forwarding information. For example, on the Internet, information is directed to various paths by routers....
s or firewall
Firewall

Firewall may refer to:* Firewall , a physical barrier inside a building or vehicle, designed to limit the spread of fire, heat and structural collapse...
s), or between a security gateway and a host.

IPsec is a dual mode, end-to-end, security scheme operating at the Internet Layer
Internet layer

The Internet Layer is a group of internetworking methods in the Internet Protocol suite which is the foundation of the Internet . It is the group of methods, protocols, and specifications which are used to transport datagrams from the originating host across network boundaries, if necessary, to the destination host specified by a network add...
 of the Internet Protocol Suite
Internet protocol suite

The Internet Protocol Suite is the set of communications protocols used for the Internet and other similar networks. It is named from two of the most important protocols in it: the Transmission Control Protocol and the Internet Protocol , which were the first two networking protocols defined in this standard....
, which is approximately Layer 3
Network layer

The Network Layer is Layer 3 in the OSI model of computer networking. The Network Layer responds to service requests from the Transport Layer and issues service requests to the Data Link Layer....
 in the OSI model
OSI model

The Open Systems Interconnection Reference Model is an abstract description for layered communications and computer network protocol design. It was developed as part of the Open Systems Interconnection initiative....
. Some other Internet security systems in widespread use, such as SSL, TLS
Transport Layer Security

Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide security and data integrity for communications over Internet Protocol Suite networks such as the Internet....
 and SSH
Secure Shell

Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. Used primarily on Linux and Unix based systems to access shell accounts, SSH was designed as a replacement for TELNET and other Computer security remote Shell s, which send information, notably passwords, in...
, operate in the upper layers
Upper layer protocol

In computer networking, the term upper layer protocol refers to a more abstract protocol when performing encapsulation , in particular it is often used to describe the protocols above the network layer....
 of these models. IPsec is more flexible, operating as it does at a lower level in the stack, since it can be used for protecting more traffic (ie, all those above layer 2), because applications need not be designed to use IPsec, whereas the use of TLS/SSL or other higher-layer protocols must be incorporated into the design of applications at that level.

IPsec is a successor of the ISO standard NLSP (Network Layer Security Protocol). The NLSP protocol was based on the SP3 protocol that was published by NIST, but designed by the Secure Data Network System project of the NSA.

"IPsec" is officially specified by the Internet Engineering Task Force
Internet Engineering Task Force

The Internet Engineering Task Force develops and promotes Internet standards, cooperating closely with the World Wide Web Consortium and International Organization for Standardization/International Electrotechnical Commission standard bodies and dealing in particular with standards of the TCP/IP and Internet protocol suite....
 (IETF), including the capitalization of the term.

Security Architecture

The IPsec suite is a framework of open standard
Open standard

An open standard is a standard that is publicly available and has various rights to use associated with it, and various properties of how it was designed....
s. IPsec uses the following protocol
Protocol (computing)

In computer science, a protocol is a convention or standard that controls or enables the connection, communication, and data transfer between computing endpoints....
s to perform various functions:

  • Internet key exchange
    Internet key exchange

    Internet Key Exchange is the protocol used to set up a security association in the IPsec protocol suite. IKE uses a Diffie-Hellman key exchange to set up a shared secret, from which cryptographic keys are derived....
     (IKE and IKEv2) to set up a security association
    Security association

    A security association is the establishment of shared security information between two network entities to support secure communication. An SA may include cryptographic keys, initialization vectors or digital certificates....
     (SA) by handling negotiation of protocols and algorithms and to generate the encryption and authentication keys to be used by IPsec.


  • Authentication Header (AH)
    IPsec

    Internet Protocol Security is a Protocol suite for securing Internet Protocol communications by authentication and encryption each packet #Example: IP packets of a data stream....
     to provide connectionless integrity
    Integrity

    Integrity comprises perceived consistency of actions, values, methods, measures and principles. As a holism concept, it judges the quality of a system in terms of its ability to achieve its own goals....
     and data origin authentication
    Authentication

    Authentication is the act of establishing or confirming something as authentic, that is, that claims made by or about the subject are true....
     for IP datagrams and to provide protection against replay attack
    Replay attack

    A replay attack is a form of Computer network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an Adversary who intercepts the data and retransmits it, possibly as part of a Spoofing attack by Internet Protocol packet substitution ....
    s.


  • Encapsulating Security Payload (ESP)
    IPsec

    Internet Protocol Security is a Protocol suite for securing Internet Protocol communications by authentication and encryption each packet #Example: IP packets of a data stream....
     to provide confidentiality
    Confidentiality

    Confidentiality has been defined by the International Organization for Standardization as "ensuring that information is accessible only to those authorized to have access" and is one of the cornerstones of information security....
    , data origin authentication
    Authentication

    Authentication is the act of establishing or confirming something as authentic, that is, that claims made by or about the subject are true....
    , connectionless integrity
    Integrity

    Integrity comprises perceived consistency of actions, values, methods, measures and principles. As a holism concept, it judges the quality of a system in terms of its ability to achieve its own goals....
    , an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality.


Authentication Header (AH)

AH is a member of the IPsec
IPsec

Internet Protocol Security is a Protocol suite for securing Internet Protocol communications by authentication and encryption each packet #Example: IP packets of a data stream....
 protocol suite. AH is intended to guarantee connectionless integrity
Integrity

Integrity comprises perceived consistency of actions, values, methods, measures and principles. As a holism concept, it judges the quality of a system in terms of its ability to achieve its own goals....
 and data origin authentication
Authentication

Authentication is the act of establishing or confirming something as authentic, that is, that claims made by or about the subject are true....
 of IP packets. Further, it can optionally protect against replay attack
Replay attack

A replay attack is a form of Computer network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an Adversary who intercepts the data and retransmits it, possibly as part of a Spoofing attack by Internet Protocol packet substitution ....
s by using the sliding window technique and discarding old packets. AH protects the IP payload and all header fields of an IP datagram except for mutable fields (i.e. those that might be altered in transit).
  • In IPv4
    IPv4

    Internet Protocol version 4 is the fourth revision in the development of the Internet Protocol and it is the first version of the protocol to be widely deployed....
    , mutable (and therefore unauthenticated) IP header fields include TOS
    Type of Service

    The Type of Services byte in the IPv4 header has had various purposes over the years, and has been defined in different ways by five different Request for Commentss....
    , Flags, Fragment
    IP fragmentation

    The Internet Protocol allows IP fragmentation so that datagrams can be fragmented into pieces small enough to pass over a link with a smaller MTU than the original datagram size....
     Offset
    Offset

    The term offset may refer to:* Carbon offset* Offset , a number indicating the distance from the start of a data structure object and up to a given element...
    , TTL
    Time to live

    Time to live is a limit on the period of time or number of iterations or transmissions in computer and computer network technology that a unit of data can experience before it should be discarded....
     and Header Checksum
    Checksum

    A checksum or hash sum is a fixed-size data computed from an arbitrary block of digital data for the purpose of error detection that may have been introduced during its telecommunications or computer storage....
    .
AH operates directly on top of IP, using IP protocol number 51.

The following AH packet diagram shows how an AH packet is constructed and interpreted:

0 - 7 bit 8 - 15 bit 16 - 23 bit 24 - 31 bit
Next header Payload length RESERVED
Security parameters index (SPI)
Sequence number


Authentication data (variable)


Field meanings: Next header : The Next Header is an 8-bit field that identifies the type of the next payload after the Authentication Header. The value of this field is chosen from the set of IP Protocol Numbers defined in the most recent "Assigned Numbers" RFC from the Internet Assigned Numbers Authority
Internet Assigned Numbers Authority

The Internet Assigned Numbers Authority is the entity that oversees global IP address, root nameserver for the Domain Name System , Internet media type, and other Internet protocol assignments....
. See List of IP protocol numbers. Payload length : Size of AH packet. RESERVED : Reserved for future use (all zero until then). Security parameters index (SPI) : Identifies the security parameters, which, in combination with the IP address
IP address

An Internet Protocol address is a numerical identification that is assigned to devices participating in a computer network utilizing the Internet Protocol for communication between its nodes....
, then identify the security association
Security association

A security association is the establishment of shared security information between two network entities to support secure communication. An SA may include cryptographic keys, initialization vectors or digital certificates....
 implemented with this packet. Sequence number : A monotonically increasing number, used to prevent replay attacks. Authentication data : Contains the integrity check value (ICV) necessary to authenticate the packet; it may contain padding.

Encapsulating Security Payload (ESP)

ESP is a member of the IPsec
IPsec

Internet Protocol Security is a Protocol suite for securing Internet Protocol communications by authentication and encryption each packet #Example: IP packets of a data stream....
 protocol suite. It is the portion of IPsec that provides origin authenticity
Authenticity

Authenticity refers to the truthfulness of origins, attributions, commitments, sincerity, devotion, and intentions.Authenticity or Authentic may refer to:...
, integrity
Integrity

Integrity comprises perceived consistency of actions, values, methods, measures and principles. As a holism concept, it judges the quality of a system in terms of its ability to achieve its own goals....
, and confidentiality
Confidentiality

Confidentiality has been defined by the International Organization for Standardization as "ensuring that information is accessible only to those authorized to have access" and is one of the cornerstones of information security....
 protection of packets. ESP also supports encryption
Encryption

In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key ....
-only and authentication
Authentication

Authentication is the act of establishing or confirming something as authentic, that is, that claims made by or about the subject are true....
-only configurations, but using encryption without authentication is strongly discouraged because it is insecure. . Unlike Authentication Header (AH)
IPsec

Internet Protocol Security is a Protocol suite for securing Internet Protocol communications by authentication and encryption each packet #Example: IP packets of a data stream....
, ESP does not protect the IP packet header. However, in Tunnel Mode
Tunneling protocol

The term tunneling protocol is used to describe when one network protocol called the payload protocol is encapsulation within a different delivery protocol....
, where the entire original IP packet is encapsulated with a new packet header added, ESP protection is afforded to the whole inner IP packet (including the inner header) while the outer header remains unprotected. ESP operates directly on top of IP, using IP protocol number 50.

The following ESP packet diagram shows how an ESP packet is constructed and interpreted:

0 - 7 bit 8 - 15 bit 16 - 23 bit 24 - 31 bit
Security parameters index (SPI)
Sequence number


Payload data (variable)
  Padding (0-255 bytes)  
    Pad Length Next Header


Authentication Data (variable)


Field meanings: Security parameters index (SPI) : Identifies the security parameters in combination with IP address. Sequence number : A monotonically increasing number, used to prevent replay attack
Replay attack

A replay attack is a form of Computer network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an Adversary who intercepts the data and retransmits it, possibly as part of a Spoofing attack by Internet Protocol packet substitution ....
s. Payload data : The data to be transferred. Padding : Used with some block cipher
Block cipher

In cryptography, a block cipher is a symmetric key algorithm cipher which operates on fixed-length groups of bits, termed blocks, with an unvarying transformation....
s to pad the data to the full length of a block. Pad length : Size of padding in bytes. Next header : Identifies the protocol of the payload data. The value of this field is chosen from the set of IP Protocol Numbers defined in the most recent "Assigned Numbers" RFC from the Internet Assigned Numbers Authority
Internet Assigned Numbers Authority

The Internet Assigned Numbers Authority is the entity that oversees global IP address, root nameserver for the Domain Name System , Internet media type, and other Internet protocol assignments....
. See List of IP protocol numbers. Authentication data : Contains the data used to authenticate the packet.

Security Association

The IP security architecture uses the concept of a security association
Security association

A security association is the establishment of shared security information between two network entities to support secure communication. An SA may include cryptographic keys, initialization vectors or digital certificates....
 as the basis for building security functions into IP. A security association is simply the bundle of algorithms and parameters (such as keys) that is being used to encrypt and authenticate a particular flow in one direction. Therefore, in normal bi-directional traffic, the flows are secured by a pair of security associations. The actual choice of encryption and authentication algorithms (from a defined list) is left to the IPsec administrator.

In order to decide what protection is to be provided for an outgoing packet, IPsec uses the Security Parameter Index
Security Parameter Index

The Security Parameter Index is an identification tag added to the header while using IPSec for tunneling the IP traffic. This tag helps the kernel discern between two traffic streams where different encryption rules and algorithms may be in use....
 (SPI), an index to the security association database (SADB), along with the destination address in a packet header, which together uniquely identify a security association for that packet. A similar procedure is performed for an incoming packet, where IPsec gathers decryption and verification keys from the security association database.

For multicast, a security association is provided for the group, and is duplicated across all authorized receivers of the group. There may be more than one security association for a group, using different SPIs, thereby allowing multiple levels and sets of security within a group. Indeed, each sender can have multiple security associations, allowing authentication, since a receiver can only know that someone knowing the keys sent the data. Note that the relevant standard does not describe how the association is chosen and duplicated across the group; it is assumed that a responsible party will have made the choice.

Modes of Operation

There are two modes of IPsec operation:

Transport mode

In transport mode, only the payload (the data you transfer) of the IP packet is encrypted and/or authenticated. The routing is intact, since the IP header is neither modified nor encrypted; however, when the authentication header is used, the IP addresses cannot be translated
Network address translation

In computer networking, network address translation is the process of modifying network address information in datagram packet headers while in transit across a traffic router for the purpose of remapping a given address space into another....
, as this will invalidate the hash value. The transport
Transport layer

In computer networking, the Transport Layer is a group of methods and protocols within a layered architecture of network components, within which it is responsible for encapsulating application data blocks into datagrams suitable for transfer to the network infrastructure for transmission to the destination host, or managing the reverse tran...
 and application layers are always secured by hash, so they cannot be modified in any way (for example by translating
Port address translation

Port Address Translation is a feature of a Computer network device that translates Transmission Control Protocol or User Datagram Protocol communications made between hosts on a private network and hosts on a public network....
 the port
TCP and UDP port

In computer networking, a port is an application-specific or process-specific software construct serving as a communications endpoint used by Transport layer protocols of the Internet protocol suite such as Transmission Control Protocol and User Datagram Protocol ....
 numbers). Transport mode is used for host-to-host communications.

A means to encapsulate IPsec messages for NAT traversal
NAT traversal

NAT traversal is a general term for techniques that establish and maintain TCP/IP computer network connections traversing network address translation gateways....
 has been defined by RFC
Request for Comments

In computer network engineering, a request for comments is a memorandum published by the Internet Engineering Task Force describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems....
 documents describing the NAT-T
NAT-T

NAT-T is a method of enabling IPsec-protected IP datagrams to pass through a Network address translator .An IP packet is modified while passing through a network address translator device in a manner that is incompatible with IPsec....
 mechanism.

Tunnel mode

In tunnel mode, the entire IP packet (data and IP header) is encrypted and/or authenticated. It is then encapsulated into a new IP packet with a new IP header. Tunnel mode is used to create Virtual Private Network
Virtual private network

VPN which stands for Virtual Private Networks are used as secure extranets and Internets . It protects its network by using encryption, firewalls and other security strategies....
s for network-to-network communications (e.g. between routers to link sites), host-to-network communications (e.g. remote user access), and host-to-host communications (e.g. private chat).

Implementations


Cryptographic Algorithms

Cryptographic algorithms defined for use with IPsec include:
  • HMAC
    HMAC

    In cryptography, a keyed-Hash Message Authentication Code , is a type of message authentication code calculated using a specific algorithm involving a cryptographic hash function in combination with a secret cryptographic key....
    -SHA1 for integrity protection
  • TripleDES-CBC for confidentiality
  • AES
    Advanced Encryption Standard

    In cryptography, the Advanced Encryption Standard is an encryption standard adopted by the Federal government of the United States. The standard comprises three block ciphers, AES-128, AES-192 and AES-256, adopted from a larger collection originally published as Rijndael. Each AES cipher has a 128 bit block size, with key sizes of 128...
    -CBC for confidentiality.
Refer to RFC 4835 for details.

Software Implementations

IPsec support is usually implemented in the kernel with key management and ISAKMP/IKE
Ike

IKE or Ike can refer to:...
 negotiation carried out from user-space. Existing IPsec implementations often include both. However, as there is a standard interface for key management, it is possible to control one kernel IPsec stack using key management tools from a different implementation.

Because of this, there is sometimes confusion as to the origins of the IPsec implementation in the Linux kernel
Linux kernel

The Linux kernel is an operating system kernel used by a family of Unix-like operating systems. The term Linux distribution is used to refer to the various operating systems that run on top of the Linux Kernel....
. The FreeS/WAN
FreeS/WAN

FreeS/WAN, for Free Secure Wide-Area Networking, was a free software project, which implemented a reference version of the IPsec network security layer for Linux and other Unix-like operating systems....
 project made the first complete and open source
Open source

Open source is an approach to design, development, and distribution offering practical accessibility to a product's source . Some consider open source as one of various possible design approaches, while others consider it a critical Strategy element of their business operations....
 implementation of IPsec for Linux
Linux

Linux is a generic term referring to Unix-like computer operating systems based on the Linux kernel. Their development is one of the most prominent examples of free and open source software collaboration; typically all the underlying source code can be used, freely modified, and redistributed by anyone under the terms of the GNU GPL license...
. It consists of a kernel IPsec stack (KLIPS), as well as a key management daemon
Daemon (computer software)

In Unix and other computer computer multitasking operating systems, a daemon is a computer program that runs in the background , rather than under the direct control of a user; they are usually initiated as background Computer processes....
 (pluto) and many shell scripts. The FreeS/WAN project was disbanded in March 2004. Openswan
Openswan

Openswan is a complete IPsec implementation for Linux 2.0, 2.2, 2.4 and 2.6 kernels.Openswan began as a Fork of the now-defunct FreeS/WAN project, and continues to be released freely under the GNU General Public License....
 and strongSwan
StrongSwan

strongSwan is a complete IPsec implementation for Linux 2.4 and 2.6 kernels.It is a descendant of the FreeS/WAN project, and continues to be released under the GNU General Public License license....
 are continuations of FreeS/WAN. The KAME project
KAME project

The KAME project was a joint effort of six organizations in Japan which aimed to provide a free IPv6 and IPsec protocol stack implementation for variants of the Berkeley Software Distribution Unix computer operating-system....
 also implemented complete IPsec support for NetBSD
NetBSD

NetBSD is a freely redistributable, open source version of the Unix-derivative Berkeley Software Distribution computer operating system. It was the second open source BSD descendant to be formally released, after 386BSD, and continues to be actively developed....
, FreeBSD
FreeBSD

FreeBSD is a Unix-like free software operating system descended from AT&T Unix via the Berkeley Software Distribution branch through the 386BSD and Berkeley Software Distribution#4.4BSD and descendants operating systems....
. Its key management daemon is called racoon
Racoon (KAME)

Racoon is a tool for handling Internet Key Exchange in IPsec for Linux, FreeBSD and NetBSD.It's part of the KAME project, and almost all of the implemented KAME project code has been merged to FreeBSD and NetBSD....
. OpenBSD
OpenBSD

OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley....
 made its own ISAKMP/IKE daemon, simply named isakmpd (which was also ported to other systems, including Linux
Linux

Linux is a generic term referring to Unix-like computer operating systems based on the Linux kernel. Their development is one of the most prominent examples of free and open source software collaboration; typically all the underlying source code can be used, freely modified, and redistributed by anyone under the terms of the GNU GPL license...
).

None of those kernel IPsec stacks were integrated into the Linux kernel. Alexey Kuznetsov and David S. Miller
David S. Miller

David S. Miller is an United States developer working on the Linux kernel, where he is the primary maintainer of networking and the SPARC implementation, and is also involved in other development work....
 wrote a kernel IPsec implementation from scratch for the Linux kernel around the end of 2002. This stack was subsequently released as part of Linux 2.6, and is referred to variously as "native" or "NETKEY".

Thus, the current Linux IPsec stack did not originate from the KAME project. Since it supports the standard PF_KEY protocol (RFC 2367) and the native XFRM interface for key management, the Linux IPsec stack can be used in conjunction with either pluto from Openswan
Openswan

Openswan is a complete IPsec implementation for Linux 2.0, 2.2, 2.4 and 2.6 kernels.Openswan began as a Fork of the now-defunct FreeS/WAN project, and continues to be released freely under the GNU General Public License....
/strongSwan
StrongSwan

strongSwan is a complete IPsec implementation for Linux 2.4 and 2.6 kernels.It is a descendant of the FreeS/WAN project, and continues to be released under the GNU General Public License license....
, isakmpd from the OpenBSD
OpenBSD

OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley....
 project, racoon from the KAME project
KAME project

The KAME project was a joint effort of six organizations in Japan which aimed to provide a free IPv6 and IPsec protocol stack implementation for variants of the Berkeley Software Distribution Unix computer operating-system....
, or without any ISAKMP/IKE daemon (using manual keying).

The new architectures of network processors, including multi-core processors with integrated encryption engines, suggested some changes in the way the IPsec stacks are designed. A dedicated Fast Path is currently being commonly used to offload IPsec processing (SA, SP lookups, encryption, etc.). These Fast-Path IPsec-stack instances, running on dedicated cores, must be integrated with Linux or RTOS instances, running on other cores, which control them.

There exist a number of implementations of IPsec and ISAKMP/IKE protocols. These include:
  • , Network processor MPU Fast Path IPsec stack
  • NRL
    United States Naval Research Laboratory

    The United States Naval Research Laboratory is the corporate research laboratory for the United States Navy and the United States Marine Corps and conducts a broad program of scientific research and advanced development....
      IPsec, one of the original sources of IPsec code
  • OpenBSD
    OpenBSD

    OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley....
    , with its own code derived from NRL IPsec
  • the KAME
    KAME project

    The KAME project was a joint effort of six organizations in Japan which aimed to provide a free IPv6 and IPsec protocol stack implementation for variants of the Berkeley Software Distribution Unix computer operating-system....
     stack, that is included in Mac OS X
    Mac OS X

    Mac OS X is a line of computer operating systems developed, marketed, and sold by Apple Inc., and since 2002 has been included with all new Macintosh computer systems....
    , NetBSD
    NetBSD

    NetBSD is a freely redistributable, open source version of the Unix-derivative Berkeley Software Distribution computer operating system. It was the second open source BSD descendant to be formally released, after 386BSD, and continues to be actively developed....
     and FreeBSD
    FreeBSD

    FreeBSD is a Unix-like free software operating system descended from AT&T Unix via the Berkeley Software Distribution branch through the 386BSD and Berkeley Software Distribution#4.4BSD and descendants operating systems....
  • "IPsec" in Cisco IOS Software
    Cisco IOS

    Cisco IOS is the software used on the vast majority of Cisco Systems routers and all current Cisco network switches. . IOS is a package of routing, switching, internetworking and telecommunications functions tightly integrated with a computer multitasking operating system....
     
  • "IPsec" in Microsoft Windows
    Microsoft Windows

    Microsoft Windows is a series of software operating systems and graphical user interfaces produced by Microsoft. Microsoft first introduced an operating environment named Windows in November 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces ....
    , including Windows XP , Windows 2000, Windows 2003, and both Windows Vista and Windows Server 2008 .
  • SafeNet QuickSec toolkits
  • IPsec in Solaris
  • IBM
    IBM

    International Business Machines Corporation, abbreviated IBM and nicknamed "Big Blue" , is a multinational corporation computer technology and consulting corporation headquartered in Armonk, New York, New York, United States....
     AIX operating system
    AIX operating system

    AIX is the name given to a series of Proprietary software operating systems sold by IBM for several of its computer system platforms, based on UNIX System V with 4.3BSD-compatible command and programming interface extensions....
  • IBM
    IBM

    International Business Machines Corporation, abbreviated IBM and nicknamed "Big Blue" , is a multinational corporation computer technology and consulting corporation headquartered in Armonk, New York, New York, United States....
     z/OS
    Z/OS

    z/OS is a 64-bit operating system for mainframe computers, created by IBM. It is the successor to OS/390, which in turn followed MVS and combined a number of formerly separate, related products....
  • IPsec and IKE in HP-UX
    HP-UX

    HP-UX 11i is Hewlett-Packard's proprietary software implementation of the Unix operating system, based on UNIX System V . It runs on the HP 9000 PA-RISC-based range of central processing unit and HP Integrity Intel's Itanium-based systems, and was also available for later Apollo/Domain systems....
     (HP-UX IPSec)
  • "IPsec and IKE" in VxWorks
    VxWorks

    VxWorks is a real-time operating system operating system made and sold by Wind River Systems of Alameda, California, California, USA.VxWorks is designed for use in embedded systems....
     


Current status as a standard

IPsec implementation is a mandatory part of IPv6
IPv6

Internet Protocol version 6 is the next-generation Internet layer protocol for packet -switched internetworking and the Internet. IPv4 is the dominant Internet Protocol version, and was the first to receive widespread use....
  but is not a required part of IPv4
IPv4

Internet Protocol version 4 is the fourth revision in the development of the Internet Protocol and it is the first version of the protocol to be widely deployed....
. However, because of the slow uptake of IPv6, IPsec is most commonly used to secure IPv4 traffic. IPsec protocols were originally defined in RFC
Request for Comments

In computer network engineering, a request for comments is a memorandum published by the Internet Engineering Task Force describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems....
s 1825 & 1829, published in 1995. In 1998, these documents were made obsolete by RFC 2401 & RFC 2412 (with which they were not compatible) although they were conceptually identical. In addition, a mutual authentication and key exchange protocol Internet Key Exchange
Internet key exchange

Internet Key Exchange is the protocol used to set up a security association in the IPsec protocol suite. IKE uses a Diffie-Hellman key exchange to set up a shared secret, from which cryptographic keys are derived....
 (IKE), was defined to create and manage security associations. In December 2005, these RFCs were themselves superseded by RFC 4301 & RFC 4309, which are largely a superset of the previous editions, and a by second version of the Internet Key Exchange standard, IKEv2. These third-generation documents standardized the abbreviation of IPsec to uppercase “IP” and lowercase “sec”. It is unusual to see any product that offers support for RFCs 1825 & 1829. “ESP” generally refers to RFC 2406, while ESPbis refers to RFC 4303.

Other VPN Protocols

  • IPsec
    IPsec

    Internet Protocol Security is a Protocol suite for securing Internet Protocol communications by authentication and encryption each packet #Example: IP packets of a data stream....
  • HIP Host Identity Protocol
    Host Identity Protocol

    The Host Identity Protocol provides a method of separating the end-point identifier and locator roles of IP addresses. It introduces a new Host Identity name space, based on public keys....
  • L2F Layer 2 Forwarding Protocol
    Layer 2 Forwarding Protocol

    L2F, or Layer 2 Forwarding, is a tunneling protocol developed by Cisco Systems, Inc. to establish Virtual Private Network connections over the Internet....
  • L2TP Layer 2 Tunneling Protocol
  • PLIP Parallel Line Internet Protocol
    Parallel Line Internet Protocol

    The Parallel Line Internet Protocol is an encapsulation of the Internet Protocol designed to work overa personal computer parallel port via a laplink cable, sometimes called a'laplink' cable....
  • PPTP Point-to-Point Tunneling Protocol
    Point-to-point tunneling protocol

    The Point-to-Point Tunneling Protocol is a method for implementing virtual private networks. PPTP does not provide confidentiality or encryption; It relies on the protocol being tunneled to provide privacy....
  • PPP Point-to-Point Protocol
    Point-to-Point Protocol

    In Computer network, the Point-to-Point Protocol, or PPP, is a Data Link Layer Protocol commonly used to establish a direct connection between two Node ....
  • SLIP Serial Line Internet Protocol
    Serial Line Internet Protocol

    The Serial Line Internet Protocol is a mostly obsolete encapsulation of the Internet Protocol designed to work over serial ports and modem connections....


See Also


  • Information security
    Information security

    Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction....
  • NAT-T
    NAT-T

    NAT-T is a method of enabling IPsec-protected IP datagrams to pass through a Network address translator .An IP packet is modified while passing through a network address translator device in a manner that is incompatible with IPsec....
  • Security association
    Security association

    A security association is the establishment of shared security information between two network entities to support secure communication. An SA may include cryptographic keys, initialization vectors or digital certificates....
     (SA)
  • Opportunistic encryption
    Opportunistic encryption

    Opportunistic Encryption refers to any system that, when connecting to another system, attempts to encrypt the communications channel otherwise falling back to unencrypted communications....
  • Virtual private network
    Virtual private network

    VPN which stands for Virtual Private Networks are used as secure extranets and Internets . It protects its network by using encryption, firewalls and other security strategies....


External links

  • , Internet Engineering Task Force (IETF)
  • [https://datatracker.ietf.org/public/idindex.cgi?command=show_wg_id&id=1091 IPsec WG still has important active drafts]
  • at the Open Directory Project
    Open Directory Project

    The Open Directory Project , also known as Dmoz , is a multilingual open content Web directory of World Wide Web links owned by Netscape that is constructed and maintained by a virtual community of volunteer editors....


Standards

  • RFC 2367: PF_KEY Interface
  • RFC 2401: Security Architecture for the Internet Protocol (IPsec overview) Obsolete by RFC 4301
  • RFC 2403: The Use of HMAC-MD5-96 within ESP and AH
  • RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH
  • RFC 2405: The ESP DES-CBC Cipher Algorithm With Explicit IV
  • RFC 2409: The Internet Key Exchange
  • RFC 2410: The NULL Encryption Algorithm and Its Use With IPsec
  • RFC 2411: IP Security Document Roadmap
  • RFC 2412: The OAKLEY Key Determination Protocol
  • RFC 2451: The ESP CBC-Mode Cipher Algorithms
  • RFC 2857: The Use of HMAC-RIPEMD-160-96 within ESP and AH
  • RFC 3526: More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)
  • RFC 3706: A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers
  • RFC 3715: IPsec-Network Address Translation (NAT) Compatibility Requirements
  • RFC 3947: Negotiation of NAT-Traversal in the IKE
  • RFC 3948: UDP Encapsulation of IPsec ESP Packets
  • RFC 4106: The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)
  • RFC 4301: Security Architecture for the Internet Protocol
  • RFC 4302: IP Authentication Header
  • RFC 4303: IP Encapsulating Security Payload
  • RFC 4304: Extended Sequence Number (ESN) Addendum to IPsec Domain of Interpretation (DOI) for Internet Security Association and Key Management Protocol (ISAKMP)
  • RFC 4306: Internet Key Exchange (IKEv2) Protocol
  • RFC 4307: Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)
  • RFC 4308: Cryptographic Suites for IPsec
  • RFC 4309: Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)
  • RFC 4478: Repeated Authentication in Internet Key Exchange (IKEv2) Protocol
  • RFC 4543: The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH
  • RFC 4555: IKEv2 Mobility and Multihoming Protocol (MOBIKE)
  • RFC 4621: Design of the IKEv2 Mobility and Multihoming (MOBIKE) Protocol
  • RFC 4718: IKEv2 Clarifications and Implementation Guidelines
  • RFC 4806: Online Certificate Status Protocol (OCSP) Extensions to IKEv2
  • RFC 4809: Requirements for an IPsec Certificate Management Profile
  • RFC 4835: Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)
  • RFC 4945: The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX