Cryptography Reference
In-Depth Information
8.3
IPSec
Knowledge is of two kinds. we know a subject ourselves, or we know where
we can find information upon it.
Samuel Johnson
8.5
(1709-1784)
— from
Life of Samuel Johnson
(1791), 7 April 1775, by James Boswell
8.6
What IS IPSec?
Internet Protocol Security
(IPSec), is a foundation of open standards for
establishingend-to-end security in network architecture. The IETF developed
standards for IPSec under which it ensures cryptographically enforced authen-
ticity, confidentiality, and integrity of data transfer over a public IP network.
Perhaps the most important attribute of IPSec is that it provides security to
all
traJc at the IP level, includingthose distributed applications mentioned at the
end of the previous section on page 293.
IPSec is a very complex mechanism and is still evolving. It is not as preva-
lent as SSl/TLS (studied in Section 5.7), but is more secure, as we shall learn in
this section. IPSec's complexity has drawn criticism from some cryptographers,
but even they agree that IPSec is the best there is for secure Internet commu-
nications, at this point in time. Succinctly, an IPSec-enabled computer is one
that can authenticate any data packet it receives and encipher any data packet
it sends.
The majority of IPSec security measures are provided by the use of two
tra
J
c security protocols, called the
Authentication Header
(AH), and the
En-
capsulating Security Payload
(ESP), although (optionally) through the use of
Internet Key Exchange
(IKE), for exchanging keys and negotiating security.
(All of this will be described in detail later in this section.) AH provides only
authentication, meaning verification of the origin and integrity of the message
sent, accordingto IPSec documentation. ESP, on the other hand, provides both
confidentiality and integrity, albeit AH ensures that more of the message is au-
thenticated. IPSec does not specify the cryptographic suites to be used, since
its security protocols are designed to be cryptographic algorithm-independent.
However, there is a default suite of cryptographic algorithms for use with AH
and ESP if required.
Why Use IPSec?
Everyone from corporations to individuals are increasingly seeking more se-
curity for their communications. For business organizations, leasing lines dedi-
cated to their companies provides the security, but the cost can be prohibitive,
and is relatively inflexible when compared to the Internet. Thus, an increasingly
more common choice is beingexercised, namely, the
Virtual Private Network
8.5
See page 180.
8.6
Boswell (1740-1795) was a Scottish lawyer, who was Johnson's biographer.
Search WWH ::
Custom Search