IP Security enables secure communications over the Internet and within company networks by securing data traffic at the IP layer. This allows individual users or organizations to secure traffic for all applications, without having to make any modifications to the applications. Therefore any data, such as e-mail can be made secure.
The mechanism for securing data between two nodes is accomplished by creating a tunnel between two hosts. The secure tunnel encapsulates all IP traffic between the two hosts in a manner specified by the user. It provides data integrity, privacy and authentication depending on how the tunnel is defined.
Security is provided by requiring that all data travelling in a tunnel be:
Note: Authentication has a checksum effect on encrypted packets, therefore encryption without authentication is not recommended.
Authentication is provided by using the IP Authentication header (AH) in which the sender provides authentication data that is verified by the receiver to ensure the identity of the sender. It also guarantees data integrity by ensuring that the packet arrived unaltered.
Confidentiality is provided by using the IP Encapsulating Security Payload header (ESP) in which the sender encrypts the data, and the receiver decrypts it with a shared key. This prevents intervening hosts from being able to read the data.
A new transform, DES CBC MD5, uses the IETF (www.ietf.org) draft header format to provide authentication and encryption in a new ESP header (described in Internet draft-etf-draft-esp-03.txt). This requires the processing of only one header for data that uses both authentication and encryption.
Two types of tunnels are supported, IBM tunnels which do automatic key refreshment while the tunnel is active, and manual tunnels which provide interoperability with other vendor's IP Security implementations that conform to IETF standards. These standards are subject to change.
The IP Security function also implements filtering of non-secure packets based on very granular user-defined criteria. This is a useful function to allow the control of IP traffic between networks and machines that do not require the use of IP Security.