Internet Protocol SECurity (IPSEC) is a suite of protocols for protecting communications over IP networks by authenticating and/or encrypting each IP packet in a data stream. The set of security services offered includes:
access control;
connectionless integrity;
data origin authentication;
protection against replays;
confidentiality (encryption);
limited traffic flow confidentiality.
These services are provided at the network layer (layer 3 of the OSI model), offering protection for IP and/or upper layer protocols. IPsec also includes protocols for cryptographic key estabilishment such as Internet Key Exchange (IKE).
IPsec uses two protocols that can be applied either separately or together to provide a desired set of security services:
Authentication Header (AH): protects the IP packet header from third party interference and spoofing, by computing a cryptographic checksum and hashing of the IP packet header fields with a secure hashing function. This is then followed by an additional header that contains the hash, to allow the information in the packet to be authenticated.
Encapsulating Security Payload (ESP): protects the IP packet data from third party interference, by encrypting the contents using symmetric cryptography algorithms.
All implementations of AH and ESP must support the concept of a Security Association (SA). SA is simply the bundle of algorithms and parameters (such as keys) that is being used to encrypt a particular flow. Two types of SAs are defined:
Transport mode: only the payload of the original IP packet is encrypted because IPsec header appears immediately after the IP header and before higher layer protocols (e.g., TCP or UDP). Transport mode is used for host-to-host communications.
Tunnel mode: the entire IP packet is encrypted and it must be encapsulated into a new IP packet for routing to work. Tunnel mode is used for network-to-network communications (secure tunnels between routers) or host-to-network and host-to-host communications over the Internet.