Securing the Internet with IPsec (Internet Security Architecture)

By Pete Loshin

The IP Security Architecture

The IP Security Architecture, or IPsec, offers an interoperable and open standard for building security into any Internet application. By adding security at the network layer (the IP layer, or layer 3 in the OSI reference model), IPsec enables security for individual applications as well as for virtual private networks (VPNs) capable of securely carrying enterprise data across the open Internet.

IPsec and its related protocols are already being widely implemented in virtual private network products. Despite its growing importance to existing deployed systems, not too many people truly grok IPsec, probably because it is complicated (a solid couple of dozen RFCs describe IPsec and its related protocols--please refer to the list of related RFCs at the end of the article).

Saying that IPsec specifies protocols for encrypting and authenticating data sent within IP packets is an oversimplification, and even obscures IPsec's full potential.

IPsec offers the following security services:

Altogether, IPsec provides for the integration of algorithms, protocols, and security infrastructures into an overarching security architecture.

The stated goal of the IP Security Architecture is "to provide various security services for traffic at the IP layer, in both the IPv4 and IPv6 environments." [RFC2401]. This means security services that are: interoperable, high-quality, and cryptographically-based.

The IP security architecture allows systems to choose the required security protocols, identify the cryptographic algorithms to use with those protocols, and exchange any keys or other material or information necessary to provide security services.