IPsec
Internet Protocol Security
(IPsec) has emerged as the leading suite of protocols governing the use of VPNs. IPSec
delivers machine-level authentication and encryption for VPNs based on L2TP
(Layer 2 Tunneling Protocol). IPsec provides integrity protection,
authentication, and optional privacy and replay protection services. It is an
architecture protocol, as well as a related Internet Key Exchange (IKE)
protocol, and is defined by IETF RFCs 2401–2409. The IPsec packets comprise the
following types:
-
IP Protocol 50— This is the
Encapsulating Security Payload (ESP) format. It defines privacy, authenticity,
and integrity.
-
IP Protocol 51— This is the
Authentication Header (AH) format. It defines authenticity and integrity, but
not privacy.
IPsec uses encryption based on either DES (Data Encryption
Standard), which is 56 bits, or 3DES (Triple DES), which is 3x56, or 168 bits in
strength. The maximum bit strength allowed for export by the U.S. government is
militated by what part of the world in which the VPN server or client resides.
Thus, it is common to have mixed encryption strengths within a single VPN, which
can be a potential security weakness.
IPsec can work in two modes: transport mode and tunnel
mode. Transport mode secures an existing IP packet from source to
destination, whereas tunnel mode places the packet into a new IP packet that's
sent to a tunnel endpoint in the IPsec format. Both modes enable encapsulation
in ESP or AH headers.
Sections
Archive
Syndication
