IPSec Diagrams


Some Background.  IPSec - IP Security is partially described by the IETF - Internet Engineering Task Force as

a framework of open standards for ensuring private,
secure communications over IP networks,
through the use of cryptographic security services.

The framework is described in RFCs 2401 - 2412.

IPSec is not bound by any particular authentication or encryption method or algorithm.  Older security measures were usually implemented at the application layer of the OSI model, which made much of their use application dependent.  IPSec has been implemented at the network layer of the OSI model so that it is not application dependent.  So IPSec does not need each application to be configured to IPSec standards.

Modes.  IPSec can be implemented in two different modes.

  • Transport Mode
    • only the data is encrypted
    • since IP headers are not encrypted the packets are smaller than packets in tunnel mode
    • typically used in host-to-host VPNs
  • Tunnel Mode
    • data and IP headers are encrypted
    • due to additional encryption packets are larger than packets in transport mode
    • somewhat slower than transport mode since packets are larger
    • more secure
    • typically used in host-to-gateway or gateway-to-gateway VPNs

Security Protocols.  IPSec relies on two different security protocols.

  • AH - Authentication Headers
    • authenticates packets by signing them
      • signature is specific to each packet to help ensure validity of the data source
    • ensures the integrity of the data
  • ESP - Encapsulating Security Payload
    • also assists authentication and integrity of payloads
    • helps ensure confidentiality through encryption