Few daze ago I proposed to write a brief tut about IPsec, & some folks told me they were interested.

I'm not a crypto expert & this tut does not provide many info about PKI.

That is IPSEC?

It's the state of the art against Man In the Middle Attacks (MIM attacks).
This protocol implement 3 mains features:
- VPN tunneling
- Anti-Replay
- Authentication
- Data encryption
- "Static routing"
- "Known-of-need"

The VPN features may be disabled, it introduc 2 modes of using IPSec: Transport mode (wihtout Tunnelling) & Tunnel mode.
I think you all know the benefit of tunneling. (The WAN, e.g. the ISP, is not aware of ur private addresses. In theory
only ppl at the other end of the tunnel can connect u.)
Most people use the tunnel mode, but transport mode may be useful in some case(for instance when a NAT of ur public
addresses is somehow required).

The anti-replay feauture is the real benefit of the IPsec standard. It uses an ESP encapsulation (ESP fills in the
protocol IP header field).
Its a windows sliding mechanism. Each packet as an incremental identifier value, the IPsec box keep in memory a set of
received packets identifier for a given connection. A windows of n packet is defined because memory is not illimitate
e.g. 32 conscutive packet ID starting from ID= [10; 42].
The box will drop the packet with the following rules:
- if a packet with an id that have been already memorised => packet is dropped
- if a packet with an id that is less than the minimum value of the window => packet is dropped (e.g. packet_id=8)
- if a packet with an id that is greater than the maximum value of the window => the window slide to be with that
maximum value (e.g. packet_id=50 then window=[18;50])

Authentication
The ESP header offers a authentication mechanism by scelling the packet (without third party).

Data encryption
Data are encrypted thanx to private keys. Many IPsec boxes uses some hardware smartcards containing encryption keys
to exclude the risk of public key interception. But mostly ppl use it with PKI.

To resume in tunnel mode the packet looks like: cf figure


"Static routing" features is called (i'm not sure of the technical translation in english) Security Association table.
A given IPSec box X will protect a network Net_X and have a public address Z_X, the Security Association table contains the
information about which IPsec tunnel data should be forwarded to.
For instance data to destination NET_B from NET_A, will go through the table that should contains a kind of static route saying
"To reach NET_B forward packet to Z_B"

"Known-of-need" (I'm not sure of the translation) is an other feature of the Security Association table, sying that source NET_A
is authorized to communicate with destination NET_B. It's a firewall like feature.(the one described by kadeng in thread http://www.antionline.com/showthread...486#post625486)

There much more to say about the principle ... Feel free to update it.

IPsec Problems
1- One big problem of IPsec is that a check is down on tunnel IP address, like any VPN architecture it's therefore not compatible
with NAT. Unless u use it in transport mode.

2- An other one is dynamic routing and multicast frames. Let's take an example: u have two site with internet in the middle.
An IPsec tunnel provide inter site connectivity. If a new route is added on one site, that very route won't be accessible. A
manual Security Association table update is required.
Nevertheless asing a routing protocol like RIP or OSPF would not work since IPSec tunnels do not support multicast frames.
that IETF internet Draft may help u to resolve the pb

3- IPsec & QoS: Let's imagine ISP provides QoS, the sequence of receiving packets could be scrambled, this resulting in sliding
the anti-replay window to quickly and then drop some legit packets