Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
IPsec
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Implementations== The IPsec can be implemented in the IP stack of an [[operating system]]. This method of implementation is done for hosts and security gateways. Various IPsec capable IP stacks are available from companies, such as HP or IBM.<ref>{{Cite book|title= Carrier-Scale IP Networks: Designing and Operating Internet Networks|author =Peter Willis |publisher= IET|year=2001 |isbn= 9780852969823|page=266}}</ref> An alternative is so called [[bump-in-the-stack]] (BITS) implementation, where the operating system source code does not have to be modified. Here IPsec is installed between the IP stack and the network [[Device driver|drivers]]. This way operating systems can be retrofitted with IPsec. This method of implementation is also used for both hosts and gateways. However, when retrofitting IPsec the encapsulation of IP packets may cause problems for the automatic [[path MTU discovery]], where the [[maximum transmission unit]] (MTU) size on the network path between two IP hosts is established. If a host or gateway has a separate [[cryptoprocessor]], which is common in the military and can also be found in commercial systems, a so-called [[bump-in-the-wire]] (BITW) implementation of IPsec is possible.<ref>{{Cite book|title= Carrier-Scale IP Networks: Designing and Operating Internet Networks|author =Peter Willis |publisher= IET|year=2001 |isbn= 9780852969823|page=267}}</ref> When IPsec is implemented in the [[kernel (operating system)|kernel]], the key management and [[ISAKMP]]/[[Internet Key Exchange|IKE]] negotiation is carried out from user space. The NRL-developed and openly specified "PF_KEY Key Management API, Version 2" is often used to enable the application-space key management application to update the IPsec security associations stored within the kernel-space IPsec implementation.<ref name="rfc2367">RFC 2367, ''PF_KEYv2 Key Management API'', Dan McDonald, Bao Phan, & Craig Metz (July 1998)</ref> Existing IPsec implementations usually include ESP, AH, and IKE version 2. Existing IPsec implementations on [[Unix-like operating system]]s, for example, [[Oracle Solaris|Solaris]] or [[Linux]], usually include PF_KEY version 2. [[Embedded system|Embedded]] IPsec can be used to ensure the secure communication among applications running over constrained resource systems with a small overhead.<ref>{{Cite book|last1=Hamad|first1=Mohammad|last2=Prevelakis|first2=Vassilis|title=2015 World Symposium on Computer Networks and Information Security (WSCNIS) |chapter=Implementation and performance evaluation of embedded IPsec in microkernel OS |date=2015|pages=1β7 |language=en-US|publisher=IEEE|doi=10.1109/wscnis.2015.7368294|isbn=9781479999064|s2cid=16935000|url=https://publikationsserver.tu-braunschweig.de/receive/dbbs_mods_00065815}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)