Internet Protocol Security (IPsec) is a widely deployed open standard,multi-vendor supported framework design based on cryptography to achieve security and data protection for IPv4 and IPv6. IPsec does support symmetric and asymmetric cryptography to secure communications. The asymmetric cryptography always requires more CPU processing power and higher performance. This is because the implementation uses asymmetric cryptography to share a shared secret and it then performs symmetric encryption.
The main components of IPSec are mentioned below:
- Authentication Header (AH)
- Encapsulating Security Payload (ESP)
- Internet Key Exchange Protocols (IKE)
AH only provides message authentication. In other words, AH only lets the receiver verify that the message is intact and unaltered; it doesn't encrypt data. The following diagram shows the packet format before and after AH encapsulation:
The basic difference is that ESP provides actual encryption. It encrypts the payload of the packet and protects it from snooping and replay. The following diagram shows the packet
:There are two phases for IPsec communication:
In the first phase (marked in blue), IKE establishes a secure channel. In the second phase (marked in green), encrypted data is transmitted.
There are two versions of IKE: IKE V1 and IKE V2. We will discuss the benefits of V2 in an upcoming section. For more details, you can refer to https://tools.ietf.org/html/rfc6311:
