Glossary // Internet Protocol Security (IPsec)
What is IPsec?
IPsec (Internet Protocol Security) is a suite of protocols that secure network communication across IP networks. It provides security services for IP network traffic such as encrypting sensitive data, authentication, protection against replay and data confidentiality.
IPsec uses the following protocols to secure the IP network traffic:
- An Authentication Header (AH) protects data within the IP packet from tampering, effectively preventing people from trying to change the contents of the packet sent from the server to the client. IPSec digitally signs the contents of the entire packet (including payload) using an Authentication Header, thereby providing protection against replay attacks, spoofing, and tampering. While the Authentication Header protects the data from tampering, it will not stop anyone from seeing it.
- Encapsulating Security Payload (ESP) is a protocol that encrypts the payload of a data packet, and provides authentication, replay proofing, and integrity checking. It provides confidentiality through encryption of the packet.
- Internet Key Exchange (IKE) protocol allows hosts at both ends of a VPN tunnel to encrypt and decrypt data packets using mutually agreed upon keys/certificate and a method for encryption.
IPSec can be broadly used for the following purposes:
- To build a dedicated tunnel between two hosts using IPsec tunneling, so that the traffic between two hosts is encrypted and secure, along with the application layer data.
- To provide security to routers sending data across the internet, and to provide authentication without encryption.
IPSec can be usually configured to operate in the following two modes:
- Transport Mode is used for end-to-end communications such as the communication between a host and server. In this case, data contents (the IP payload) are protected, but anyone looking at the network traffic can see network traffic patterns. In transport mode, the responsibility to perform any cryptographic operations, like encryption, depends on the sender and receiver.
- Tunnel Mode encrypts the entire IP packet. Usually, it is used to encrypt traffic between two routers/gateways connected over the Internet via IPSEC VPN tunnels. In tunnel mode, cryptographic operations are handled by gateways/routers at both ends of the tunnels, as well as the sender and receiver.