9.2. An Overview of IPsec

IPsec consists of three major protocols:

AH	A protocol that provides data origin authentication, data integrity, and replay protection.
ESP	A protocol that provides the same services as AH but also offers data privacy through the use of encryption.
IKE	A protocol that provides the all-important key-management function. The alternative to IKE is manual keying, which IPsec also supports.

AH and ESP can operate in one of two modes. From an implementation point of view, these modes determine what the encapsulation will look like. The two modes are

Transport mode	A method of providing security to the upper-layer protocol of an IP datagram
Tunnel mode	A method of providing security to an entire IP datagram

At first blush, it's difficult to see why there are two modes instead of one or when we would prefer one to the other.

Similar questions apply to AH and ESP. If ESP can provide privacy and the same services as AH, why do we need AH? We address these questions in detail in the following chapters, of course, but for now, we merely note that the AH authentication function is slightly different from ESP's and that although tunnel mode is the more general type of encapsulation, it also requires more overhead in the datagram.

Much of the flexibility of IPsec comes from the ability to combine AH and ESP in various ways and to choose the type of encapsulation. It is possible, for example, to protect a datagram with both AH and ESP by first applying ESP to the datagram and then applying AH to the result. There are other possibilities as well, which we discuss in further detail in Chapter 10.