A suite of three Internet Request for Comments (RFC) documents specify an architecture for how the Internet Protocol (IP) for network communications can be augmented with services for authentication, integrity and confidentiality. Of these documents, [Atk95c] provides an architecture overview while the other two specify in detail the proposed new services [Atk95a,Atk95b]. The specified services can optionally be included in IP version 4 (IPv4, the protocol in common use on the Internet today) implementations. For the forthcoming IP version 6, implementation of these services is mandatory.
As IP is a low-level protocol unaware of higher-level protocols or applications that use it, security services are provided between hosts only. It is not possible to achieve user- or application-specific protection using IP-level security.
To implement IP-level security, two extensions to the IP protocol are defined. The first extension specifies an IP Authentication Header (AH) [Atk95a]. An encrypted checksum computed is placed in this header. The checksum is computed using a message digest algorithm over the rest of the fields in the IP datagram. Upon receipt, the remote host checks the validity of the IP datagram using the information in the Authentication Header. If this authentication fails, the datagram should be discarded. Information about the failing packet is also entered into the system log.
The second extension specifies a header named IP Encapsulating Security Payload (ESP) [Atk95b]. An ESP IP datagram contains a set of unencrypted IP headers, the ESP header, and a block of encrypted data. There exist two operating modes for ESP. In tunneling mode the encrypted data contains a complete IP datagram. Upon receipt, the target host decrypts this datagram and processes it as if it had arrived directly (conceivably the tunneled datagram could itself be ESP-enhanced). In the other operating mode, the encrypted data contains an upper-level protocol (UDP, TCP, etc) data frame.
To benefit from security-augmented communication, the target host must be made aware of which authentication and encryption algorithms and modes are used by the sender. A collection of such information is termed Security Parameter Index (SPI). An SPI is identified by a 32-bit number present in the AH or ESP header. SPI-identifiers in the range 0-255 are reserved and only assigned by the Internet Assigned Numbers Authority (IANA).