IPsec (Internet Protocol Security) is a collection of protocol extensions for the Internet Protocol (IP). The extensions enable encryption and authentication of information transmitted using IP and provide secure communication in IP networks such as the Internet.
The acronym IPsec stands for Internet Protocol Security. It is a collection of several standards (RFCs) for secure communication in IP networks.
What IPsec Protocol used for?
With the help of Internet Protocol Security, it is possible to encrypt data and authenticate communication partners. Information exchange in potentially insecure networks such as the Internet can thus be protected.
IPsec can be used for both IPv4 and IPv6. Secure LAN-to-LAN VPNs, host-to-gateway VPNs, and host-to-host VPNs can be implemented. Internet Protocol Security works at the network layer and prevents attack techniques such as IP spoofing.
Important protocol standards of IPsec include Internet Key Exchange (IKE), Authentication Header (AH), and Encapsulated Security Payload (ESP).
Key features of IPsec
Key features of Internet Protocol Security are:
- Interoperability with the IP protocol world
- Integrity of data
- Cryptographic protection by encrypting the transmitted data
- Support of different key management methods
- Authentication of the communication partner
The different modes of Internet Protocol Security
Internet Protocol Security knows two modes: the transport mode and the tunnel mode.
Transport mode establishes a direct point-to-point connection between two endpoints. For this purpose, it uses an additional IPsec header between the IP header and the transported data.
In tunnel mode, two networks are connected via a secure tunnel between two gateways or routers. The end devices themselves connected via the two networks do not have to support Internet Protocol Security.
The connection is only secure on the partial route between the two routers or gateways. A new outer IP header is used on this link. The IP addresses of the two communication endpoints are in the inner protected IP header.
The different key management methods
With IPsec, the keys can be managed in different ways. In addition to manual key management, automatic key management is possible using the Internet Key Exchange Protocol (IKE). IKE uses the Diffie-Hellman method for secure key generation.
An extension of IKE is IKEv2, which simplifies configuration and connection setup. The vulnerabilities of the previous version have been cleaned up. With manual key management, the keys are permanently configured at the two endpoints of the encrypted connection.
Internet Protocol Security and NAT
In connection with Network Address Translation (NAT), problems can occur when establishing a secure connection. NAT gives an IP packet a new IP address and a different source port.
The changed IP packets may result in an invalid packet for Internet Protocol Security because the integrity is no longer given. The invalid packets are dropped by IPsec and the connection setup fails.
In addition, the IP addresses and ports may be encrypted due to Internet Protocol Security. The NAT router cannot access this encrypted information and cannot exchange addresses or ports. Address translation for such connections fails. To prevent these problems with NAT, methods such as IPsec passthrough or IPsec with NAT traversal are used.
With NAT traversal, the communication partners exchange information via a special NAT traversal protocol.