9.1. Introduction

In Part 2, we examined several VPN technologies and saw how they operate. All these VPNs encapsulate their packets at the transport layer or higher. In the next few chapters, we study a set of VPNs, collectively called IP Security (IPsec), that encapsulate their packets at the network layer. IPsec is the IETF standard VPN technology defined for the TCP/IP suite.

As we shall see, IPsec is large and complicatedin contrast to the lightweight VPNs we studied in Chapter 8; we could describe IPsec as a heavyweight VPN. This heavy-weightedness is a result of two things: flexibility in configuring an IPsec VPN and the fact that IPsec is usually tightly integrated with the TCP/IP stack and thus runs in the kernel.

The IPsec working group recently completed revisions to the IPsec protocols, and we can expect that these revisions will start to be deployed shortly. We discuss the revised protocols in Chapter 14.

The IPsec protocols borrow ideas from the U.S. government's network-layer security protocol, SP3 [NIST 1990], the ISO's Network Layer Security Protocol (NLSP) [ISO 1992], and the swIPe protocol [Ioannidis and Blaze 1993a, Ioannidis and Blaze 1993b].

The swIPe Internet Draft [Ioannidis and Blaze 1993b] has long since expired, of course, but copies are still available from Blaze's Web sitesee the bibliography.

The initial design of IPsec was done in 1992 by John Ioannidis, Phil Karn, and William Allen Simpson.