The TCP/IP Guide  9  TCP/IP Lower-Layer (Interface, Internet and Transport) Protocols (OSI Layers 2, 3 and 4)       9  TCP/IP Internet Layer (OSI Network Layer) Protocols            9  Internet Protocol (IP/IPv4, IPng/IPv6) and IP-Related Protocols (IP NAT, IPSec, Mobile IP)                 9  IP Security (IPSec) Protocols

IPSec Modes: Transport and Tunnel 1 2 IPSec Authentication Header (AH)

Woah, there sure is a lot of "security" stuff in that topic title. Those items are all closely related, and important to understand before we proceed to looking at the core IPSec protocols themselves. These constructs are used to guide the operation of IPSec in a general way and also in particular exchanges between devices. They control how IPSec works and ensure that each datagram coming into or leaving an IPSec-capable device is properly treated.

Where to start… where to start. J Let's begin by considering the problem of how to apply security in a device that may be handling many different exchanges of datagrams with others. There is overhead involved in providing security, so we do not want to do it for every message that comes in or out. Some types of messages may need more security, others less. Also, exchanges with certain devices may require different processing than others.

To manage all of this complexity, IPSec is equipped with a flexible, powerful way of specifying how different types of datagrams should be handled. To understand how this works, we must first define two important logical concepts:

• Security Policies: A security policy is a rule that is programmed into the IPSec implementation that tells it how to process different datagrams received by the device. For example, security policies are used to decide if a particular packet needs to be processed by IPSec or not; those that do not bypass AH and ESP entirely. If security is required, the security policy provides general guidelines for how it should be provided, and if necessary, links to more specific detail.
  
  Security policies for a device are stored in the device's Security Policy Database (SPD).
  
  
• Security Associations: A Security Association (SA) is a set of security information that describes a particular kind of secure connection between one device and another. You can consider it a "contract", if you will, that specifies the particular security mechanisms that are used for secure communications between the two.
  
  A device's security associations are contained in its Security Association Database (SAD).

It's often hard to distinguish the SPD and the SAD, since they are similar in concept. The main difference between them is that security policies are general while security associations are more specific. To determine what to do with a particular datagram, a device first checks the SPD. The security policies in the SPD may reference a particular security association in the SAD. If so, the device will look up that security association and use it for processing the datagram.

IPSec Modes: Transport and Tunnel 1 2 IPSec Authentication Header (AH)