IPsec
The TCP/IP model (RFC 1122) |
---|
Application Layer |
Transport Layer |
Internet Layer |
Link Layer |
Internet Protocol Security (IPsec) is a way of making Internet communications more secure and private.
IPsec is a collection of protocols for securing Internet Protocol (IP) communications by authenticating (and optionally encrypting) each IP packet of a data stream. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used to protect data flows between a pair of hosts (e.g. computer users or servers), between a pair of security gateways (e.g. routers or firewalls), or between a security gateway and a host. RFC 2406
IPsec is an end-to-end security solution and operates at the Internet Layer of the Internet Protocol Suite, comparable to Layer 3 in the OSI model. Other Internet security protocols in widespread use, such as SSL, TLS and SSH, operate in the upper layers of these models. This makes IPsec more flexible, as it can be used for protecting all the higher level protocols, because applications do not need to be designed to use IPsec, whereas the use of TLS/SSL or other higher-layer protocols must be built-in the application.
The term "IPsec" is officially defined by the Internet Engineering Task Force (IETF). This definition includes the form of capitalization used for the term; it is often incorrectly spelled IPSec.
Related pages
Other websites
- IP Security Protocol Official Charter, Internet Engineering Task Force (IETF)
- IPsec WG still has important active drafts
- All IETF active security WGs
- IETF BTNS WG (chartered to work on unauthenticated IPsec, IPsec APIs, connection latching)
- Securing Data in Transit with IPsec Archived 2008-10-13 at the Wayback Machine
- IPsec[permanent dead link] at the Open Directory Project
- Microsoft IPsec Diagnostic Tool
- An Illustrated Guide to IPsec
- Data Communication Lectures of Manfred Lindner - Part IPsec Archived 2011-05-31 at the Wayback Machine
Standards
- RFC 2367: PF_KEY Interface
- RFC 2401: Security Architecture for the Internet Protocol (IPsec overview)
- RFC 2403: The Use of HMAC-MD5-96 within ESP and AH
- RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH* RFC 2367: PF_KEY Interface
- RFC 2405: The ESP DES-CBC Cipher Algorithm With Explicit IV
- RFC 2409: The Internet Key Exchange
- RFC 2410: The NULL Encryption Algorithm and Its Use With IPsec
- RFC 2411: IP Security Document Roadmap
- RFC 2412: The OAKLEY Key Determination Protocol
- RFC 2451: The ESP CBC-Mode Cipher Algorithms
- RFC 2857: The Use of HMAC-RIPEMD-160-96 within ESP and AH
- RFC 3526: More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)
- RFC 3706: A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers
- RFC 3715: IPsec-Network Address Translation (NAT) Compatibility Requirements
- RFC 3947: Negotiation of NAT-Traversal in the IKE
- RFC 3948: UDP Encapsulation of IPsec ESP Packets
- RFC 4106: The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)
- RFC 4301: Security Architecture for the Internet Protocol
- RFC 4302: IP Authentication Header
- RFC 4303: IP Encapsulating Security Payload
- RFC 4304: Extended Sequence Number (ESN) Addendum to IPsec Domain of Interpretation (DOI) for Internet Security Association and Key Management Protocol (ISAKMP)
- RFC 4306: Internet Key Exchange (IKEv2) Protocol
- RFC 4307: Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)
- RFC 4308: Cryptographic Suites for IPsec
- RFC 4309: Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)
- RFC 4478: Repeated Authentication in Internet Key Exchange (IKEv2) Protocol
- RFC 4543: The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH
- RFC 4555: IKEv2 Mobility and Multihoming Protocol (MOBIKE)
- RFC 4621: Design of the IKEv2 Mobility and Multihoming (MOBIKE) Protocol
- RFC 4718: IKEv2 Clarifications and Implementation Guidelines
- RFC 4806: Online Certificate Status Protocol (OCSP) Extensions to IKEv2
- RFC 4809: Requirements for an IPsec Certificate Management Profile
- RFC 4835: Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)
- RFC 4945: The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX