In general, there are three possibilities to implement the IPsec architecture (with or without key management) and to place the implementation in a host or security gateway:
The most simple and straightforward possibility is to integrate the IPsec protocols into a native IP implementation. This is
Another possibility is provided by so-called "bump-in-the-stack" (BITS) implementations. In these implementations, IPsec is implemented underneath an existing IP stack, between the native IP implementation and the local network drivers. Source code access for the IP stack is not required in this case, making it appropriate for use with legacy systems. This approach, when it is adopted, is usually employed with hosts.
As of this writing, most IPsec implementations are either BITS or BITW. For example, PGPnet is a BITS implementation, whereas most firewall products that support IPsec for virtual private networking are BITW implementations. The
The IP security architecture as discussed in this chapter is not an overall security architecture for the Internet. It addresses security only at the Internet layer, provided through the use of a suite of security protocols (i.e., the IPsec protocols and the IKE protocol) and a corresponding API (i.e., the PF_KEY key management API version 2 as specified in ). Related topics, such as securing the routing infrastructure, the DNS, and network management, are further addressed in . Also, the current status of the IP security architecture does not even address all aspects of Internet layer security. Topics for further study include the use of Internet layer security protocols in conjunction with NAT, a more complete support for IP multicast, issues
There are advantages and disadvantages related to security protocols that
The main advantage is that applications must not be changed to use the IPsec protocols. Another advantage is that providing security at the Internet layer works for both TCP- and UDP-based applications. This is advantageous because a steadily increasing number of applications are based on UDP that is hard to secure at the transport layer (we will further address this point in Chapter 15).
Because of the disadvantages of providing security at the Internet layer, some alternative approaches have appeared in the past (as discussed in the other sections of this chapter). The current trend in industry suggests that the IPsec protocols will primarily be used for virtual private networking and connecting mobile users to corporate