IPsec

[1] IPsec uses cryptographic security services to protect communications over Internet Protocol (IP) networks.

Some experts criticized it, stating that it is complex and with a lot of options, which has a devastating effect on a security standard.

IPsec is an open standard as a part of the IPv4 suite and uses the following protocols to perform various functions:[10][11] The Security Authentication Header (AH) was developed at the US Naval Research Laboratory in the early 1990s and is derived in part from previous IETF standards' work for authentication of the Simple Network Management Protocol (SNMP) version 2.

[21] The following AH packet diagram shows how an AH packet is constructed and interpreted:[12] The IP Encapsulating Security Payload (ESP)[22] was developed at the Naval Research Laboratory starting in 1992 as part of a DARPA-sponsored research project, and was openly published by IETF SIPP[23] Working Group drafted in December 1993 as a security extension for SIPP.

The SP3D protocol specification was published by NIST in the late 1980s, but designed by the Secure Data Network System project of the US Department of Defense.

ESP also supports encryption-only and authentication-only configurations, but using encryption without authentication is strongly discouraged because it is insecure.

[28] The algorithm for authentication is also agreed before the data transfer takes place and IPsec supports a range of methods.

[17][1]: §1 [30] RFC 5386 defines Better-Than-Nothing Security (BTNS) as an unauthenticated mode of IPsec using an extended IKE protocol.

A similar procedure is performed for an incoming packet, where IPsec gathers decryption and verification keys from the security association database.

Note that the relevant standard does not describe how the association is chosen and duplicated across the group; it is assumed that a responsible party will have made the choice.

The method uses IPsec traffic patterns to minimize the number of messages required to confirm the availability of a peer.

The transport and application layers are always secured by a hash, so they cannot be modified in any way, for example by translating the port numbers.

[33] An alternative is so called bump-in-the-stack (BITS) implementation, where the operating system source code does not have to be modified.

If a host or gateway has a separate cryptoprocessor, which is common in the military and can also be found in commercial systems, a so-called bump-in-the-wire (BITW) implementation of IPsec is possible.

Existing IPsec implementations on Unix-like operating systems, for example, Solaris or Linux, usually include PF_KEY version 2.

Embedded IPsec can be used to ensure the secure communication among applications running over constrained resource systems with a small overhead.

[36] IPsec was developed in conjunction with IPv6 and was originally required to be supported by all standards-compliant implementations of IPv6 before RFC 6434 made it only a recommendation.

These third-generation documents standardized the abbreviation of IPsec to uppercase "IP" and lowercase "sec".

[38][39] In 2013, as part of Snowden leaks, it was revealed that the US National Security Agency had been actively working to "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets" as part of the Bullrun program.

In a letter which OpenBSD lead developer Theo de Raadt received on 11 Dec 2010 from Gregory Perry, it is alleged that Jason Wright and others, working for the FBI, inserted "a number of backdoors and side channel key leaking mechanisms" into the OpenBSD crypto code.

An alternative explanation put forward by the authors of the Logjam attack suggests that the NSA compromised IPsec VPNs by undermining the Diffie-Hellman algorithm used in the key exchange.

In their paper,[45] they allege the NSA specially built a computing cluster to precompute multiplicative subgroups for specific primes and generators, such as for the second Oakley group defined in RFC 2409.

If an organization were to precompute this group, they could derive the keys being exchanged and decrypt traffic without inserting any software backdoors.