IPSec

IPSec is an attempt to bring together several security technologies into a complete solution to provide confidentiality, integrity, and authenticity. After your reading the preceding chapter, these three functions should indicate to you that IPSec is an encryption-dependent solution. In fact, IPSec utilizes the following encryption technologies to achieve its goals:

The Diffie-Hellman key exchange is used to derive key material between peers on a public network.

PKI (public key infrastructure) is used for signing the Diffie-Hellman exchanges to guarantee the identity of the parties and avoid a man-in-the-middle attack.

Data encryption algorithms such as Advanced Encryption Standard (AES) are used to compute encrypted equivalents for data.

Key hash algorithms such as HMAC are used in combination with traditional hash algorithms such as MD5 or SHA to provide packet authentication.

Digital certificates signed by a certificate authority are used for user identification.

To implement IPSec, a new set of headers must be added to IP datagrams. The new headers are placed after the IP header and before the L4 protocol. Although IPSec goes a long way toward solving the current challenges facing the Internet, it falls short in the realm of wireless networks, at least until wireless devices are built that are compatible with IPSec.