Secure network connections with IPsec

IPsec is a protocol family whose architecture was proposed as a standard by the Internet Engineering Task Force (IETF). The IETF is an organization that deals with the technical development of the Internet. IPsec was developed for the latest version of the Internet protocol (IPv6) and subsequently also for IPv4 and can essentially be divided into the following three functional groups:

  • Transmission protocols: Authentication Header (AH), Encapsulating Security Payload (ESP)
  • Key management: Internet Security Association and Key Management Protocol (ISAKMP), Internet Key Exchange (IKE)
  • Databases: Security Association Database (SAD), Security Policy Database (SPD)

With the help of the two transmission protocols AH and ESP, IPsec guarantees the authenticity and integrity of the data sent, thus ensuring that you Content comes from the specified sender and arrives unchanged at the recipient. For this purpose, by expanding the packet header, AH offers authentication of the data source on the one hand in order to confirm its authenticity, and on the other hand protection against changes to the packets on the transport route. In addition, the AH protocol adds a sequence number to the header, which prevents packets from being sent repeatedly.

In addition to the identity and integrity check, the ESP protocol also provides encryption of the sent data. However, ESP authentication differs from that of the AH protocol in that it does not take into account the outer IP header and is therefore not complete. With the help of additional encapsulation, however, the ESP content can be correctly delivered in networks with address translation (NAT), as is common with private DSL access.

The IKE protocol is primarily responsible for managing ESP encryption. It negotiates the security associations between sender and recipient, uses this Diffie-Hellman method for secure key exchange and thereby technically implements the definitions of the ISAKMP framework.

The information required for sending parcels based on IPsec is stored in the two local databases SPD and SAD. The entries in the Security Policy Database determine, for example, which transmission protocols - AH, ESP or both - are to be used for the secure connection. The SAD manages the specific security association entries that are created by the IKE protocol and thus specifies the encryption method including key for the sender and the corresponding decryption method for the recipient.