Section 10.1. Introduction

In this chapter, we look at the architecture that comprises and unifies the various IPsec protocols. We'll see that IPsec exactly meets our definition for a VPN: It's encryption and authentication applied to a tunnel in order to create the illusion of a private leased-line network. The overall architecture of IPsec is described in RFC 2401 [Kent and Atkinson 1998c], but separate RFCs describe its protocols and its encryption and authentication algorithms. Many of these RFCs are discussed in subsequent chapters.

RFC 2401 doesn't talk very much about VPNs, preferring instead to discuss such objects as "secured connections." When it does use the term VPN, the RFC applies it to the case of a secured IP-in-IP tunnel, called tunnel mode in IPsec. We take the position that all IPsec modes constitute a VPN (see Exercise 10.3) and use the term freely.

IPsec can be implemented in several ways in a host or security gateway. RFC 2401 describes three possible implementations:

IPsec can be integrated into the TCP/IP stack itself. This implementation is probably the cleanest and most efficient but requires access to the kernel source and has the usual maintenance problems associated with kernel code.
IPsec can be added just below the TCP/IP stack, usually as a pseudodevice driver. For example, one of the exercises in Chapter 11 asks us to implement a miniversion of AH, using our gtunnel driver. Such implementations are called bump-in-the-stack (BITS) implementations. Because such implementations can use tunnel driver techniques, such as gtunnel, or SYS V STREAM modules, they don't necessarily require access to the kernel source code.
IPsec can be implemented as a stand-alone crypto device. Such devices are called bump-in-the-wire (BITW) implementations. Usually, such devices are added to a router or firewall, making the combination appear essentially like a security gateway.

Although RFC 2401 sometimes distinguishes among these types of implementations, the differences appear to matter only when considering the fine points of an actual implementation. For our purposes, we can imagine that IPsec is always integrated into the stack.