IP Security Architecture

The IP security architecture [#!ipsec!#] uses the concept of a security association as the basis for building security functions into IP. A security association is simply the bundle of algorithms and parameters (such as keys) that is being used to encrypt a particular flow. The actual choice of algorithm is left up to the users. A security parameter index (SPI) is provided along with the destination address to allow the security association for a packet to be looked up. For multicast therefore, a security association is provided for the group, and is duplicated across all authorised receivers of the group. There may be more than one security association for a group, using different SPIs, so allowing multiple levels and sets of security within a group. Indeed, each sender can have multiple security associations, allowing authentication, since a receiver can only know that someone knowing the keys sent the data. Note that the standard doesn't describe how the association is chosen and duplicated across the group; it is assumed that a responsible party will make the choice and

Two headers have been designed to provide security for both IPv4 and IPv6:

• The IP Authentication Header [#!ipauth!#] provides integrity and authentication and non-repudiation, if the appropriate choice of cryptographic algorithms is made.
• The IP Encapsulating Payload [#!ipencap!#] provides confidentiality, along with authentication and integrity.

As usual, the default algorithms used are keyed MD5 for integrity in the AH and DES-CBC (Cypher Block Chaining) for confidentiality in IPEP.