IPsec is a security system operating at a low level common to both IPv4 and IPv6. It has only recently risen out of relative obscurity with the advent of commonly-available virtual private networks (VPNs), but is deserving of more attention than it gets since it attempts to solve the key security problem of today: application independent encryption and authentication of data. In essence it munges headers and encrypts data packets to provide the following services:
The Authentication Header (AH) provides a way to check that a packet came from a given source and that it has not been modified in transit.
The contents of packets may be encrypted, preventing people from determining their contents. This is provided by a protocol called Encapsulating Security Payload (ESP).
Both of these services use shared secret keys. These keys can be manually configured, but automatic configuration is generally more flexible, so IPsec defines a protocol for the management of these keys. This allows the use of certificates for the generation and authentication of these shared secrets. IPsec also defines a compression protocol to get around the problem that encrypted traffic is rarely compressible.
To reiterate a point from Section 3.9, the important aspect of IPsec is that it operates far below the application layer. Combined with the system-wide configurability of IPsec, this means it can be used to provide security services to legacy applications. Its use is also required ...