4.2. Internet Protocol Security
As mentioned before, when two entities or networks attached to two different parts of a private network or public Internet, the exchanged packets may have to traverse over multiple hops. In such cases, it is useful to provide a security mechanism that is negotiated and established in an end-to-end or gateway-to-gateway manner at the IP layer or above without any regard to the communications path.
IPsec protocol is an IP layer security mechanism that can be used to protect the entire path between two entities or only the untrusted part of the path. IPsec allows the two parties establish a secure channel capable of providing data integrity, data confidentiality, anti-replay protection, and a number of other security services. A variety of network scenarios for which IPsec can be used are specified in the IETF security architecture document [SECARC2401]. Together with its key exchange mechanism (IKE), IPsec allows the two entities to negotiate and select the required protection mechanism, such as "authentication only" or "authentication and encryption", select proper cryptographic transform to use for the chosen protection, and exchange the keys required for those transforms.
IPsec uses two protocols to provide security protection for IP traffic: authentication header (AH), specified by [AH2402], and encapsulating security payload (ESP), specified by [ESP2406]. In the following sections, we provide more details on AH and ESP. However, we like to point ...
Get AAA and Network Security for Mobile Access: Radius, Diameter, EAP, PKI and IP Mobility now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.