7.1. IPSec mechanism

The IPSec (Internet Protocol Security) mechanism offers security services (authentication, integrity and confidentiality) in an identical way in IPv4 and IPv6. Their implementation is optional in IPv4 but mandatory in IPv6. Their use is optional.

Security services are offered through the use of AH (Authentication Header) or ESP (Encapsulating Security Payload) extensions of the IPv4 or IPv6 header.

To secure a two-directional communication between two end points, a security association (SA) pair is required. The IKEv2 (Internet Key Exchange version 2) protocol dynamically ensures the creation of the security association.

A security association contains the following parameters:

• – the authentication algorithm and the key in order to generate the AH extension;
• – the encryption algorithm and the key in order to generate the ESP extension;
• – the authentication algorithm and the key in order to generate the ESP extension, if this service is used;
• – the lifetime of the security association;
• – the encapsulation mode (tunnel or transport).

The IPSec mechanism defines the following three databases:

• – security policy database (SPD): this defines the security policy to be applied to input and output traffic for a host or a security gateway;
• – security association database (SAD): this contains the parameters applied to a security association;
• – peer authorization database (PAD): this provides a link between the IKEv2 protocol and the SPD. ...