When the IETF was working on requirements for IPv6, security at the IP level was identified as a key requirement [RFC1752]: IP security was to be mandatory for IPv6. This work started a separate working group on IP security (IPsec). IPsec [RFC2401] is defined and designed to be used for both IPv4 and IPv6. This is good for the security of currently deployed IPv4 networks, but bad for IPv6 since it decreases the traction towards IPv6 based on security needs.
IPsec protects the IP layer communications. It is usually handled in the kernel of operating systems, and applications may or may not be aware of the IP security established between two nodes.
IPsec has two encapsulation modes: transport and tunnel. When two IPsec peers need to secure their communication, they first start by establishing a security association. Then they use either or both the Authenticated Header or the Encapsulating Security Payload services.
As noted above, IPsec has two modes of encapsulation: transport and tunnel. Figure 13.2 shows nodes N1 and N2 establishing a secure IP connection using IPsec, which illustrates the transport mode: end-to-end security.
Figure 13.3 shows the tunnel mode, where N1 establishes a secure IP connection with the Virtual Private Network (VPN) server, not with N2. N1 encapsulates its traffic to N2 in a secure IP connection towards the VPN server. The VPN server decapsulates the secured traffic and forwards it to N2, which receives ...