Overview of IPSec

A majority of today's corporate, government, and academic networks, including the Internet, are based on the Internet Protocol (IP). However, IP networks are susceptible to a variety of security threats, such as identity impersonation (referred to as spoofing), loss of privacy, loss of data integrity, communications monitoring, and denial-of-service. Because of these threats, the Internet Engineering Task Force (IETF) defined a framework for IP security called IPSec.

All traffic passing through an IP network, including the Internet, must use the IP protocol. By securing the IP layer, you secure the network. IPSec provides security services at the network layer rather than at the application layer. Consequently, the security-based protection provided by IPSec is transparent to applications communicating over networks (Internet/intranet) with IPSec.

Two new IP headers have been defined by the Internet Engineering Task Force (IETF) to provide authentication and confidentiality at the IP layer. These headers are the Authentication Header (AH) and the Encapsulating Security Payload (ESP) header.

For most applications, use of just one of these headers provides a sufficient level of security. When used, in some cases together, they can provide some or all of the following security services to applications communicating over an IP network running IPSec:

Application Transparency

The AH and ESP headers are inserted between the standard IP version 4 protocol header and the upper-layer data (such as a TCP packet). IPSec traffic can pass transparently through existing IP routers. In addition, any application that uses IP can use IPSec without modification. For example, if you have a TCP BSD Socket or XTI Streams application, you can run that application over IPSec without modifying your application. HP-UX networking services, such as the HP-UX Internet Services (including telnet, FTP and sendmail) can use IPSec without modification.