IPsec (IP security) is a suite of protocols for securing Internet Protocol (IP) communications by authenticating and/or encrypting each IP packet in a data stream. IPsec also includes protocols for cryptographic key establishment. In computing and telecommunications, the transport layer is the second highest layer in the four and five layer TCP/IP reference models, where it responds to service requests from the application layer and issues service requests to the Internet layer. ... The Transmission Control Protocol (TCP) is one of the core protocols of the Internet protocol suite. ... User Datagram Protocol (UDP) is one of the core protocols of the Internet protocol suite. ... The Datagram Congestion Control Protocol (DCCP) is a message-oriented transport layer protocol that is currently under development in the IETF. Applications that might make use of DCCP include those with timingconstraints on the delivery of data such that reliable in-order delivery, when combined with congestion control, is likely... In the field of computer networking, the IETF Signaling Transport (SIGTRAN) working group defined the Stream Control Transmission Protocol (SCTP) as a transport layer protocol in 2000. ... The Real-time Transport Protocol (or RTP) defines a standardized packet format for delivering audio and video over the Internet. ... The Resource ReSerVation Protocol (RSVP), described in RFC 2205, is a Transport layer protocol designed to reserve resources across a network for an integrated services Internet. ... The Internet Group Management Protocol (IGMP) is a communications protocol used to manage the membership of Internet Protocol multicast groups. ... The network layer is third layer out of seven in OSI model and it is the third layer out of five in TCP/IP model. ... The Internet Protocol (IP) is a data-oriented protocol used for communicating data across a packet-switched internetwork. ... Internet Protocol version 4 is the fourth iteration of the Internet Protocol (IP) and it is the first version of the protocol to be widely deployed. ... Internet Protocol version 6 (IPv6) is a network layer protocol for packet-switched internetworks. ... The Open Shortest Path First (OSPF) protocol is a hierarchical interior gateway protocol (IGP) for routing in Internet Protocol, using a link-state in the individual areas that make up the hierarchy. ... Is Is is Yeah Yeah Yeahs third EP, to be released on July 24, 2007. ... The Border Gateway Protocol (BGP) is the core routing protocol of the Internet. ... In computer networking, the Address Resolution Protocol (ARP) is the standard method for finding a hosts hardware address when only its network layer address is known. ... Reverse Address Resolution Protocol (RARP) is a network layer protocol used to obtain an IP address for a given hardware address (such as an Ethernet address). ... This article is chiefly about the Routing Information Protocol (RIP) for the Internet Protocol, but also discusses some other routing information protocols. ... The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet protocol suite. ... The ICMP for IPv6 (Internet Control Message Protocol Version 6) is an integral part of the IPv6 architecture and must be completely supported by all IPv6 implementations. ... This article does not cite any references or sources. ... IEEE 802. ... The IEEE 802. ... Official Wi-Fi logo Wi-Fi (pronounced wye-fye, IPA: ) is a wireless technology brand owned by the Wi-Fi Alliance intended to improve the interoperability of wireless local area network products based on the IEEE 802. ... Official WiMax logo WiMAX, the Worldwide Interoperability for Microwave Access, is a telecommunications technology aimed at providing wireless data over long distances in a variety of ways, from point-to-point links to full mobile cellular type access. ... Asynchronous Transfer Mode (ATM) is a cell relay, packet switching network and data link layer protocol which encodes data traffic into small (53 bytes; 48 bytes of data and 5 bytes of header information) fixed-sized cells. ... Dynamic synchronous Transfer Mode , or DTM for short, is a network protocol. ... Token-Ring local area network (LAN) technology was developed and promoted by IBM in the early 1980s and standardised as IEEE 802. ... Ethernet is a large, diverse family of frame-based computer networking technologies that operate at many speeds for local area networks (LANs). ... In computer networking, fiber-distributed data interface (FDDI) is a standard for data transmission in a local area network that can extend in range up to 200 km (124 miles). ... In the context of computer networking, frame relay consists of an efficient data transmission technique used to send digital information quickly and cheaply in a relay of frames to one or many destinations from one or many end-points. ... General Packet Radio Service (GPRS) is a Mobile Data Service available to users of Global System for Mobile Communications (GSM) and IS-136 mobile phones. ... Evolution-Data Optimized or Evolution-Data only, abbreviated as EV-DO or EVDO and often EV, is one telecommunications standard for the wireless transmission of data through radio signals, typically for broadband Internet access. ... High-Speed Packet Access (HSPA) is a collection of mobile telephony protocols that extend and improve the performance of existing UMTS protocols. ... High-Level Data Link Control (HDLC) is a bit-oriented synchronous data link layer protocol developed by the International Organization for Standardization (ISO). ... In computing, the Point-to-Point Protocol, or PPP, is commonly used to establish a direct connection between two nodes. ... The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. ... In computer networking, the Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). ... ISDN redirects here. ... This article does not cite any references or sources. ... IEEE photograph of a diagram with the original terms for describing Ethernet drawn by Robert M. Metcalfe around 1976. ... For other uses, see Modem (disambiguation). ... For other uses, see Power band. ... It has been suggested that this article be split into articles entitled Synchronous optical networking, SONET and Synchronous digital hierarchy. ... There are very few or no other articles that link to this one. ... Optical fibers An optical fiber (or fibre) is a glass or plastic fiber designed to guide light along its length. ... Coaxial Cable For the weapon, see coaxial weapon. ... 25 Pair Color Code Chart 10BASE-T UTP Cable Twisted pair cabling is a common form of wiring in which two conductors are wound around each other for the purposes of cancelling out electromagnetic interference known as crosstalk. ... A protocol stack is a particular software implementation of a computer networking protocol suite. ... The Internet Protocol (IP) is a data-oriented protocol used for communicating data across a packet-switched internetwork. ... For other uses of the terms authentication, authentic and authenticity, see authenticity. ... Encrypt redirects here. ... In information technology, a packet is a formatted block of information carried by a computer network. ... Look up Data stream in Wiktionary, the free dictionary. ... IKE or Ike can refer to: Internet key exchange, a key agreement protocol Dwight D. Eisenhower, popularly known as Ike Chicagos Eisenhower Expressway, the main east-west expressway through the city, also known as The Ike Ike, a television miniseries about the life and action of Eisenhower during WWII...

Summary

IPsec protocols operate at the network layer, layer 3 of the OSI model. Other Internet security protocols in widespread use, such as SSL, TLS and SSH, operate from the transport layer up (OSI layers 4 - 7). This makes IPsec more flexible, as it can be used for protecting layer 4 protocols, including both TCP and UDP, the most commonly used transport layer protocols. IPsec has an advantage over SSL and other methods that operate at higher layers: For an application to use IPsec no code change in the applications is required whereas to use SSL and other higher level protocols, applications must undergo code changes. The network layer is third layer out of seven in OSI model and it is the third layer out of five in TCP/IP model. ... The Open Systems Interconnection Basic Reference Model (OSI Reference Model or OSI Model for short) is a layered, abstract description for communications and computer network protocol design, developed as part of the Open Systems Interconnection (OSI) initiative. ... Secure Sockets Layer (SSL) and Transport Layer Security (TLS), its successor, are cryptographic protocols which provide secure communications on the Internet. ... Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers. ... SSH redirects here. ... In computing and telecommunications, the transport layer is the second highest layer in the four and five layer TCP/IP reference models, where it responds to service requests from the application layer and issues service requests to the Internet layer. ... The Transmission Control Protocol (TCP) is one of the core protocols of the Internet protocol suite. ... User Datagram Protocol (UDP) is one of the core protocols of the Internet protocol suite. ...

Security architecture

IPsec is implemented by a set of cryptographic protocols for (1) securing packet flows, (2) mutual authentication and (3) establishing cryptographic parameters. A cryptographic protocol is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods. ... Internet key exchange (IKE) is the protocol used to set up a security association (SA) in the IPsec protocol suite. ... Internet key exchange (IKE) is the protocol used to set up a security association (SA) in the IPsec protocol suite. ...

The IP security architecture uses the concept of a security association as the basis for building security functions into IP. A security association is simply the bundle of algorithms and parameters (such as keys) that is being used to encrypt and authenticate a particular flow in one direction. Therefore, in normal bi-directional traffic, the flows are secured by a pair of security associations. The actual choice of encryption and authentication algorithms (from a defined list) is left to the IPsec administrator. The Internet Protocol (IP) is a data-oriented protocol used for communicating data across a packet-switched internetwork. ...

In order to decide what protection is to be provided for an outgoing packet, IPsec uses the security parameter index (SPI), an index to the security association database (SADB), along with the destination address in a packet header, which together uniquely identify a security association for that packet. A similar procedure is performed for an incoming packet, where IPsec gathers decryption and verification keys from the security association database.

For multicast, a security association is provided for the group, and is duplicated across all authorized receivers of the group. There may be more than one security association for a group, using different SPIs, thereby allowing multiple levels and sets of security within a group. Indeed, each sender can have multiple security associations, allowing authentication, since a receiver can only know that someone knowing the keys sent the data. Note that the relevant standard does not describe how the association is chosen and duplicated across the group; it is assumed that a responsible party will have made the choice.

Current status as a standard

IPsec is a mandatory part of IPv6 (mandatory to implement, not mandatory to use), and is optional for use with IPv4. While the standard is designed to be indifferent to IP versions, current widespread deployment and experience concerns IPv4 implementations. Internet Protocol version 6 (IPv6) is a network layer protocol for packet-switched internetworks. ... Internet Protocol version 4 is the fourth iteration of the Internet Protocol (IP) and it is the first version of the protocol to be widely deployed. ... Internet Protocol version 4 is the fourth iteration of the Internet Protocol (IP) and it is the first version of the protocol to be widely deployed. ...

IPsec protocols were originally defined by RFCs 1825–1829, published in 1995. In 1998, these documents were obsoleted by RFCs 2401–2412, which are not compatible with 1825–1829, although they are conceptually identical. In December 2005, third-generation documents, RFCs 4301–4309, were produced. They are largely a superset of 2401–2412, but provide a second Internet Key Exchange standard. These third-generation documents standardized the abbreviation of IPsec to uppercase “IP” and lowercase “sec”. In internetworking and computer network engineering, Request for Comments (RFC) documents are a series of memoranda encompassing new research, innovations, and methodologies applicable to Internet technologies. ... In internetworking and computer network engineering, Request for Comments (RFC) documents are a series of memoranda encompassing new research, innovations, and methodologies applicable to Internet technologies. ... In internetworking and computer network engineering, Request for Comments (RFC) documents are a series of memoranda encompassing new research, innovations, and methodologies applicable to Internet technologies. ... IKEv2 is the next version of the Internet Key Exchange protocol which is used to negotiate a Security Association at the outset of an IPsec session. ...

It is unusual to see any product that offers RFC1825–1829 support. “ESP” generally refers to 2406, while ESPbis refers to 4303.

Design intent

IPsec was intended to provide either transport mode (end-to-end) security of packet traffic in which the end-point computers do the security processing, or tunnel mode (portal-to-portal) communications security in which security of packet traffic is provided to several machines (even to whole LANs) by a single node. Communications security (COMSEC): Measures and controls taken to deny unauthorized persons information derived from telecommunications and ensure the authenticity of such telecommunications. ... LAN redirects here. ...

IPsec can be used to create Virtual Private Networks (VPN) in either mode, and this is the dominant use. Note, however, that the security implications are quite different between the two operational modes. VPN redirects here. ...

End-to-end communication security on an Internet-wide scale has been slower to develop than many had expected. Part of the reason is that no universal, or universally trusted, Public Key Infrastructure (PKI) has emerged (DNSSEC was originally envisioned for this); another part is that many users understand neither their needs nor the available options well enough to promote inclusion in vendors' products. Diagram of a public key infrastructure In cryptography, a public key infrastructure (PKI) is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). ... The Domain Name System Security Extensions (DNSSEC) are a suite of IETF specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. ...

Since the Internet Protocol does not inherently provide any security capabilities, IPsec was introduced to provide security services such as the following: The Internet Protocol (IP) is a data-oriented protocol used for communicating data across a packet-switched internetwork. ...

1. Encrypting traffic (so it cannot be read by parties other than those for whom it is intended)
2. Integrity validation (ensuring traffic has not been modified along its path)
3. Authenticating the peers (ensuring that traffic is from a trusted party)
4. Anti-replay (protecting against replay of the secure session).

Modes

There are two modes of IPsec operation: transport mode and tunnel mode.

Transport mode

In transport mode, only the payload (the data you transfer) of the IP packet is encrypted and/or authenticated. The routing is intact, since the IP header is neither modified nor encrypted; however, when the authentication header is used, the IP addresses cannot be translated, as this will invalidate the hash value. The transport and application layers are always secured by hash, so they cannot be modified in any way (for example by translating the port numbers). Transport mode is used for host-to-host communications. This article is about algorithms for encryption and decryption. ... In computer networking, Network Address Translation (NAT, also known as Network Masquerading, Native Address Translation or IP Masquerading) is a technique of transceiving network traffic through a router that involves re-writing the source and/or destination IP addresses and usually also the TCP/UDP port numbers of IP packets... A hash function is a function that converts an input from a (typically) large domain into an output in a (typically) smaller range (the hash value, often a subset of the integers). ... The application layer is the seventh level of the seven-layer OSI model. ... It has been suggested that this article or section be merged with Port forwarding. ... It has been suggested that this article or section be merged into Computer port (software). ...

A means to encapsulate IPsec messages for NAT traversal has been defined by RFC documents describing the NAT-T mechanism. NAT traversal refers to a solution to the common problem in TCP/IP networking of establishing connections between hosts in private TCP/IP networks which use NAT devices. ... In internetworking and computer network engineering, Request for Comments (RFC) documents are a series of memoranda encompassing new research, innovations, and methodologies applicable to Internet technologies. ... NAT-T (NAT Traversal in the IKE) is a mechanism in IPsec for UDP encapsulation of the ESP packets in order to better go through firewalls. ...

Tunnel mode

In tunnel mode, the entire IP packet (data plus the message headers) is encrypted and/or authenticated. It must then be encapsulated into a new IP packet for routing to work. Tunnel mode is used for network-to-network communications (secure tunnels between routers, e.g. for VPNs) or host-to-network and host-to-host communications over the Internet. VPN redirects here. ...

Technical details

Two protocols have been developed to provide packet-level security for both IPv4 and IPv6: Internet Protocol version 4 is the fourth iteration of the Internet Protocol (IP) and it is the first version of the protocol to be widely deployed. ... Internet Protocol version 6 (IPv6) is a network layer protocol for packet-switched internetworks. ...

• The IP Authentication Header provides integrity and authentication and non-repudiation, if the appropriate choice of cryptographic algorithms is made.
• The IP Encapsulating Security Payload provides confidentiality, along with optional (but strongly recommended) authentication and integrity protection.

Cryptographic algorithms defined for use with IPsec include HMAC-SHA1 for integrity protection, and TripleDES-CBC and AES-CBC for confidentiality. Refer to RFC 4305 for details. A keyed-hash message authentication code, or HMAC, is a type of message authentication code (MAC) calculated using a cryptographic hash function in combination with a secret key. ... The SHA (Secure Hash Algorithm) family is a set of related cryptographic hash functions designed by the National Security Agency (NSA) and published by the National Institute of Standards and Technology (NIST). ... In cryptography, Triple DES is a block cipher formed from the Data Encryption Standard (DES) cipher by using it three times. ... In cryptography, a block cipher operates on blocks of fixed length, often 64 or 128 bits. ... In cryptography, the Advanced Encryption Standard (AES), also known as Rijndael, is a block cipher adopted as an encryption standard by the U.S. government. ...

Authentication header (AH)

The AH is intended to guarantee connectionless integrity and data origin authentication of IP datagrams. Further, it can optionally protect against replay attacks by using the sliding window technique and discarding old packets. AH protects the IP payload and all header fields of an IP datagram except for mutable fields, i.e. those that might be altered in transit. In IPv4, mutable (and therefore unauthenticated) IP header fields include TOS, Flags, Fragment Offset, TTL and Header Checksum. AH operates directly on top of IP, using IP protocol number 51. An AH packet diagram: A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. ... In transmit flow control, sliding window is a variable-duration window that allows a sender to transmit a specified number of data units before an acknowledgement is received or before a specified event occurs. ... RFC 1349, Type of Service in the Internet Protocol Suite The TOS byte in the IPv4 header has had various purposes over the years, and has been defined in different ways by five different RFCs. ... The Internet Protocol allows IP fragmentation so that datagrams can be fragmented into pieces small enough to pass over a link with a smaller MTU than the original datagram size. ... In computer science, an offset within an array or other data structure object is an integer indicating the distance (displacement) from the beginning of the object up until a given element or point, presumably within the same object. ... TTL is an elite band of men and boys that originate, live or are involved in the tadley bmx scene. ... A checksum is a form of redundancy check, a simple way to protect the integrity of data by detecting errors in data that are sent through space (telecommunications) or time (storage). ...

Field meanings:

Next header 

Identifies the protocol of the transferred data.

Payload length 

Size of AH packet.

RESERVED 

Reserved for future use (all zero until then).

Security parameters index (SPI) 

Identifies the security parameters, which, in combination with the IP address, then identify the security association implemented with this packet.

Sequence number 

A monotonically increasing number, used to prevent replay attacks.

Authentication data 

Contains the integrity check value (ICV) necessary to authenticate the packet; it may contain padding.

In IPsec a security association (SA) describes an unidirectional secured flow of data between two gateways. ... In mathematics, functions between ordered sets are monotonic (or monotone) if they preserve the given order. ...

Encapsulating Security Payload (ESP)

The ESP protocol provides origin authenticity, integrity, and confidentiality protection of a packet. ESP also supports encryption-only and authentication-only configurations, but using encryption without authentication is strongly discouraged because it is insecure.^{[1] [2] [3]}. Unlike AH , the IP packet header is not protected by ESP. (Although in tunnel mode ESP, protection is afforded to the whole inner IP packet, including the inner header; the outer header remains unprotected.) ESP operates directly on top of IP, using IP protocol number 50.

An ESP packet diagram:

Field meanings:

Security parameters index (SPI) 

Identifies the security parameters in combination with IP address.

Sequence number 

A monotonically increasing number, used to prevent replay attacks.

Payload data 

The data to be transferred.

Padding 

Used with some block ciphers to pad the data to the full length of a block.

Pad length 

Size of padding in bytes.

Next header 

Identifies the protocol of the transferred data.

Authentication data 

Contains the data used to authenticate the packet.

Implementations

IPsec support is usually implemented in the kernel with key management and ISAKMP/IKE negotiation carried out from user-space. Existing IPsec implementations tend to include both of these functionalities. However, as there is a standard interface for key management, it is possible to control one kernel IPsec stack using key management tools from a different implementation. A kernel connects the application software to the hardware of a computer. ... Internet Security Association and Key Management Protocol (ISAKMP) is a cryptographic protocol which forms the basis of the IKE key exchange protocol. ... IKE or Ike can refer to: Internet key exchange, a key agreement protocol Dwight D. Eisenhower, popularly known as Ike Chicagos Eisenhower Expressway, the main east-west expressway through the city, also known as The Ike Ike, a television miniseries about the life and action of Eisenhower during WWII...

Because of this, there is confusion as to the origins of the IPsec implementation that is in the Linux kernel. The FreeS/WAN project made the first complete and open source implementation of IPsec for Linux. It consists of a kernel IPsec stack (KLIPS), as well as a key management daemon (pluto) and many shell scripts. The FreeS/WAN project was disbanded in March 2004. Openswan and strongSwan are continuations of FreeS/WAN. The KAME project also implemented complete IPsec support for NetBSD, FreeBSD. Its key management daemon is called racoon. OpenBSD made its own ISAKMP/IKE daemon, simply named isakmpd (which was also ported to other systems, including Linux). The Linux kernel is a Unix-like operating system kernel. ... The Free Secure Wide-Area Networking project was a free software project, which implemented a reference version of IPSEC for the Linux and other UNIX-like operating systems. ... Open source refers to projects that are open to the public and which draw on other projects that are freely available to the general public. ... This article is about operating systems that use the Linux kernel. ... In Unix and other computer multitasking operating systems, a daemon is a computer program that runs in the background, rather than under the direct control of a user; they are usually instantiated as processes. ... A shell script is a script or computer program written for the shell (command interpreter) of an operating system. ... 2004 : January - February - March - April - May - June - July - August - September - October - November - December Deaths • 08 Abu Abbas • 20 Queen Juliana • 28 Peter Ustinov • 30 Alistair Cooke More March 2004 deaths Ongoing events EU Enlargement Exploration of Mars: Rovers Haiti Rebellion Israeli-Palestinian conflict Occupation of Iraq Same-sex marriage in... Openswan is a complete IPsec implementation for Linux 2. ... strongSwan is a complete IPsec implementation for Linux 2. ... The KAME project is a joint effort of six companies in Japan to provide a free IPv6 and IPsec (for both IPv4 and IPv6) stack for BSD variants to the world. ... NetBSD is a freely redistributable, open source version of the Unix-like BSD computer operating system. ... FreeBSD is a Unix-like free operating system descended from AT&T UNIX via the Berkeley Software Distribution (BSD) branch through the 386BSD and 4. ... OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution (BSD), a Unix derivative developed at the University of California, Berkeley. ... This article is about operating systems that use the Linux kernel. ...

However, none of these kernel IPsec stacks were integrated into the Linux kernel. Alexey Kuznetsov and David S. Miller wrote a kernel IPsec implementation from scratch for the Linux kernel around the end of 2002. This stack was subsequently released as part of Linux 2.6, and is referred to variously as "native" or "NETKEY". David S. Miller is one of the core developers working on the Linux kernel, where he is the primary maintainer of the TCP implementation, and is also involved in other development work. ...

Therefore, contrary to popular belief, the Linux IPsec stack did not originate from the KAME project. As it supports the standard PF_KEY protocol (RFC 2367) and the native XFRM interface for key management, the Linux IPsec stack can be used in conjunction with either pluto from Openswan/strongSwan, isakmpd from OpenBSD project, racoon from the KAME project or without any ISAKMP/IKE daemon (using manual keying). Openswan is a complete IPsec implementation for Linux 2. ... strongSwan is a complete IPsec implementation for Linux 2. ... OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution (BSD), a Unix derivative developed at the University of California, Berkeley. ... The KAME project is a joint effort of six companies in Japan to provide a free IPv6 and IPsec (for both IPv4 and IPv6) stack for BSD variants to the world. ...

The new architectures of network processors, including multi-core processors with integrated encryption engines, change the way the IPsec stacks are designed. A dedicated Fast Path is used in order to offload the processing of the IPsec processing (SA, SP lookups, encryption, etc.). These Fast Path stacks must be co-integrated on dedicated cores with Linux or RTOS running on other cores. These OS are the control plane that runs ISAKMP/IKE of the Fast Path IPsec stack.

There are a number of implementations of IPsec and ISAKMP/IKE protocols. These include:

• 6WINDGate, Network processor MPU Fast Path IPsec stack
• NRL [1] IPsec, one of the original sources of IPsec code [2]
• OpenBSD, with its own code derived from NRL IPsec
• the KAME stack, that is included in Mac OS X, NetBSD and FreeBSD
• "IPsec" in Cisco IOS Software [3]
• "IPsec" in Microsoft Windows, including Windows XP[4] [5], Windows 2000[6], Windows 2003[7], and Windows Vista [8]
• SafeNet QuickSec toolkits [9]
• IPsec in Solaris [10]
• IBM AIX operating system
• IBM z/OS
• IPsec and IKE in HP-UX (HP-UX IPSec)
• "IPsec and IKE" in VxWorks [11]

A dual-core CPU combines two independent processors and their respective caches and cache controllers onto a single silicon chip, or integrated circuit. ... OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution (BSD), a Unix derivative developed at the University of California, Berkeley. ... The KAME project is a joint effort of six companies in Japan to provide a free IPv6 and IPsec (for both IPv4 and IPv6) stack for BSD variants to the world. ... Mac OS X (pronounced ) is a line of graphical operating systems developed, marketed, and sold by Apple Inc. ... NetBSD is a freely redistributable, open source version of the Unix-like BSD computer operating system. ... FreeBSD is a Unix-like free operating system descended from AT&T UNIX via the Berkeley Software Distribution (BSD) branch through the 386BSD and 4. ... Cisco IOS (originally Internetwork Operating System) is the software used on the vast majority of Cisco Systems routers and all current Cisco network switches. ... Windows redirects here. ... Solaris is a computer operating system developed by Sun Microsystems. ... For other uses, see IBM (disambiguation) and Big Blue. ... AIX (Advanced Interactive eXecutive) is a proprietary operating system developed by IBM based on UNIX System V. Before the product was ever marketed, the acronym AIX originally stood for Advanced IBM UNIX. AIX has pioneered numerous network operating system enhancements, introducing new innovations later adopted by Unix-like operating systems... For other uses, see IBM (disambiguation) and Big Blue. ... z/OS Welcome Screen seen through a terminal emulator The title of this article begins with a capital letter due to technical limitations. ... HP-UX (Hewlett Packard UniX) is Hewlett-Packards proprietary implementation of the Unix operating system, based on System V (initially System III). ... VxWorks is a Unix-like real-time operating system made and sold by Wind River Systems of Alameda, California, USA. Like most RTOSes, VxWorks includes a multitasking kernel with pre-emptive scheduling and fast interrupt response, extensive inter-process communications and synchronization facilities, and a file system. ...

See also

• Information security
• Year 2005 saw the standardization of a UDP encapsulation mechanism for NAT traversal: NAT-T
• Layer 2 Tunneling Protocol (L2TP)
• Security association (SA)
• Opportunistic encryption
• Virtual private network

Image File history File links This is a lossless scalable vector image. ... Security is everyone’s responsibility. ... Year 2005 (MMV) was a common year starting on Saturday (link displays full calendar) of the Gregorian calendar. ... User Datagram Protocol (UDP) is one of the core protocols of the Internet protocol suite. ... Encapsulation of user data in a UDP datagram inside an IP packet. ... NAT traversal refers to a solution to the common problem in TCP/IP networking of establishing connections between hosts in private TCP/IP networks which use NAT devices. ... NAT-T (NAT Traversal in the IKE) is a mechanism in IPsec for UDP encapsulation of the ESP packets in order to better go through firewalls. ... In computer networking, the Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). ... In IPsec a security association (SA) describes an unidirectional secured flow of data between two gateways. ... Opportunistic Encryption (OE) allows for encryption for secure communication without any pre-arrangement specific to the pair of systems involved. ... VPN redirects here. ...

List of IPsec-related RFCs

RFC 1826 (obsoleted by RFC 2402)

IP Authentication Header

RFC 1827 (obsoleted by RFC 2406)

IP Encapsulating Security Payload (ESP)

RFC 2367

PF_KEY Interface

RFC 2401 (obsoleted by RFC 4301)

Security Architecture for the Internet Protocol

RFC 2402 (obsoleted by RFC 4302 and RFC 4305)

Authentication Header

RFC 2403

The Use of HMAC-MD5-96 within ESP and AH

RFC 2404

The Use of HMAC-SHA-1-96 within ESP and AH

RFC 2405

The ESP DES-CBC Cipher Algorithm With Explicit IV

RFC 2406 (obsoleted by RFC 4303 and RFC 4305)

Encapsulating Security Payload

RFC 2407 (obsoleted by RFC 4306)

IPsec Domain of Interpretation for ISAKMP (IPsec DoI)

RFC 2408 (obsoleted by RFC 4306)

Internet Security Association and Key Management Protocol (ISAKMP)

RFC 2409 (obsoleted by RFC 4306)

Internet Key Exchange (IKE)

RFC 2410

The NULL Encryption Algorithm and Its Use With IPsec

RFC 2411

IP Security Document Roadmap

RFC 2412

The OAKLEY Key Determination Protocol

RFC 2451

The ESP CBC-Mode Cipher Algorithms

RFC 2857

The Use of HMAC-RIPEMD-160-96 within ESP and AH

RFC 3526

More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)

RFC 3706

A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers

RFC 3715

IPsec-Network Address Translation (NAT) Compatibility Requirements

RFC 3947

Negotiation of NAT-Traversal in the IKE

RFC 3948

UDP Encapsulation of IPsec ESP Packets

RFC 4106

The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)

RFC 4301 (obsoletes RFC 2401)

Security Architecture for the Internet Protocol

RFC 4302 (obsoletes RFC 2402)

IP Authentication Header

RFC 4303 (obsoletes RFC 2406)

IP Encapsulating Security Payload (ESP)

RFC 4304

Extended Sequence Number (ESN) Addendum to IPsec Domain of Interpretation (DOI) for Internet Security Association and Key Management Protocol (ISAKMP)

RFC 4305 (obsoleted by RFC 4835)

Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)

RFC 4306 (obsoletes RFC 2407, RFC 2408, and RFC 2409)

Internet Key Exchange (IKEv2) Protocol

RFC 4307

Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)

RFC 4308

Cryptographic Suites for IPsec

RFC 4309

Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)

RFC 4478

Repeated Authentication in Internet Key Exchange (IKEv2) Protocol

RFC 4543

The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH

RFC 4555

IKEv2 Mobility and Multihoming Protocol (MOBIKE)

RFC 4621

Design of the IKEv2 Mobility and Multihoming (MOBIKE) Protocol

RFC 4718

IKEv2 Clarifications and Implementation Guidelines

RFC 4806

Online Certificate Status Protocol (OCSP) Extensions to IKEv2

RFC 4809

Requirements for an IPsec Certificate Management Profile

RFC 4835 (obsoletes RFC 4305)

Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)

RFC 4945

The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX

IKEv2 is the next version of the Internet Key Exchange protocol which is used to negotiate a Security Association at the outset of an IPsec session. ... IKEv2 is the next version of the Internet Key Exchange protocol which is used to negotiate a Security Association at the outset of an IPsec session. ...

References

1. ^ Bellovin, Steven M. (1996). "Problem Areas for the IP Security Protocols". Proceedings of the Sixth Usenix Unix Security Symposium: 1-16. Retrieved on 2007-07-09. 
2. ^ K.G. Paterson and A. Yau (2006). "Cryptography in theory and practice: The case of encryption in IPsec". Eurocrypt 2006, Lecture Notes in Computer Science Vol. 4004: 12-29. Retrieved on 2007-08-13. 
3. ^ J.P. Degabriele and K.G. Paterson (2007). "Attacking the IPsec Standards in Encryption-only Configurations". IEEE Symposium on Security and Privacy, IEEE Computer Society: 335-349. Retrieved on 2007-08-13. 

Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 190th day of the year (191st in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 225th day of the year (226th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 225th day of the year (226th in leap years) in the Gregorian calendar. ...

External links

• IETF IPsec WG has "concluded", archive of the page is here
• IPsec WG still has important active drafts
• All IETF active security WGs
• IETF BTNS WG (chartered to work on unauthenticated IPsec, IPsec APIs, connection latching)
• Securing Data in Transit with IPsec
• IPsec at the Open Directory Project