IPsec is a protocol suite, the architecture of which was suggested as a standard by the Internet Engineering Task Force (IETF). The IETF is an organization concerned with the technical advancement of the internet. IPsec was developed for the newest version of Internet Protocol (IPv6) and retrospectively also for IPv4. It can be divided into the following three function groups:
- Transfer protocols: Authentication Header (AH), Encapsulating Security Payload (ESP)
- Key management: Internet Security Association and Key Management Protocol (ISAKMP), Internet Key Exchange (IKE)
- Database: Security Association Database (SAD), Security Policy Database (SPD)
Through the two transfer protocols, AH and ESP, IPsec guarantees the authenticity and integrity of sent data, ensuring that content from the sender reaches the recipient without being altered. For this purpose, AH offers both data origin authentication, to confirm its legitimacy, and protection for the package during transfer. Additionally, the AH protocol assigns a sequence number to the header, protecting packages from potential repeated transfer.
The ESP protocol provides additional encryption for the data package alongside identity and integrity protection. But ESP authentication differs from that of the AH protocol in that it does not take the outer IP header into account. By using an additional encapsulation, however, the ESP content can be securely delivered across networks with address translation (NAT), which are typically used in private DSL connections. The IKE protocol is primarily responsible for managing ESP encryption. It negotiates the security associations between sender and recipient, uses the Diffie-Hellman algorithm for secure key exchange, and technically implements the definitions for the ISAKMP framework.
The necessary information for package transfer using IPsec is stored in the two local databases, SPD and SAD. The entries in the SPD, security policy database, determine which transmission protocol – AH, ESP, or both – is to be used for the secure connection. The SAD, security association database, manages the specific security association entries provided by the IKE protocol; giving the sender the encryption key and the receiver the corresponding decryption key.