Translated by
2016/09/08 15:39:00

Internet Protocol Security (IPsec)

IPsec is a set of the protocols for the VPN organization which are used for ensuring services of privacy and authentication at the network layer of the OSI model.

IPsec was standardized in 1995 (RFC 1825) and includes three protocols, everyone with the functions:

  • ESP (Encapsulating Security Payload is safe encapsulation of payload) is engaged directly in data encryption and also can provide authentication of a source and integrity checking of data.

  • AH (Authentication Header is authentication heading) is responsible for authentication of a source and integrity checking of data.

  • IKE (Internet Key Exchange protocol is the key exchange protocol) is used for formation of IPSec Security Association - a set of parameters of the protected connection (for example: the encryption algorithm, an encryption key, etc.) which are used for review works of participants of the protected connection. Using this protocol, participants agree what encryption algorithm will be used on what algorithm it will be made (and whether will be in general) integrity checking how to authenticate each other.

IPsec can work in one of two modes: transport (by default) or tunnel. In a transport operation mode mechanisms of security are used only to protocols, since the transport layer above, leaving data of the most network layer (heading IP) without additional protection. In the tunnel mode the initial IP packet undertakes, it is ciphered completely, together with the heading IP, the service information IPSec and the new heading IP is added. Most often the tunnel mode is used to connect two private networks through public, having provided at the same time enciphering (something like safe GRE). Transport it is relevant when IP connectivity is already reached, but traffic between nodes needs to be ciphered.

As of 2016 IPSec is one of the most reliable solutions for creation of virtual private networks.

Among shortcomings of IPSec there is large volume of the additional information added to an initial packet, as a result - redundancy and complexity of the protocol.

See Also