Chapter 20. IPSec

The purpose of authentication is to ensure that the packets of data are genuinely from the sender you think they are. There are a number of protocols that can be used, but they all provide a means to validate the sender, and also to confirm that the contents of the packet have not been changed.

Usually the authentication involves a secret which is known only to the two ends of the communication. It is also possible to authenticate using keys which are more complex.

Authentication on its own does not stop someone snooping on the contents of the packets, just makes sure that they are not tampered with and are genuinely from the sender (or someone that knows the secret).

There are actually two types of authentication - AH (Authentication Header) which authenticates the packet and some of the header fields (IP addresses), and ESP-AUTH which authenticates the encrypted payload and not the headers.

The purpose of encryption is to change the data when it is sent such that nobody snooping on the packet can make sense of it. There are different algorithms, and they offer different levels of security.

Usually the encryption involves a secret which is known only to the two ends of the communication. It is also possible to encrypt using keys which are more complex.

Encryption does not provide authentication, but it would only be possible to correctly decrypt the packet to something meaningful if it came from the right sender (or someone knowing the secret).

For authentication and encryption you have to configure the correct algorithms and secrets at both ends. There is however a system to exchange keys when you start communicating, and negotiate some of these parameters. It is necessary to set the secret or set up keys still, obviously, but the configuratin is simpler.