Security may be an important consideration in network communications. With the ever-increasing utilization of the Internet, most networks now have Internet gateways that open the network to external attacks by would-be hackers. Further, the popularity of wireless networks has also increased dramatically as technology has enabled faster and more reliable wireless communications. Yet, wireless communications are inherently less secure than wired communications, since wireless communication signals are typically much easier to intercept than signals on difficult-to-access cables.
As a result, cryptography modules are often used to encrypt private or secret communications and reduce the likelihood that they will be deciphered and used by malicious individuals or organizations. By way of example, wireless local area networks (WLANs) and WLAN devices are widely used and provide a convenient and cost-effective approach for implementing network communications where it may be difficult or otherwise impractical to run cables. One of the more prominent standards which has been developed for regulating communications within WLANs is promulgated by the Institute of Electrical and Electronic Engineers' (IEEE) 802 LAN/MAN Standards Committee, including the 802.11 standard. In addition to providing wireless communications protocols, the 802.11 standard also defines a wireless equivalent privacy (WEP) cryptographic algorithm used to protect wireless signals from eavesdropping.
IPsec (IP security) is a standard for securing Internet Protocol (IP) communications by encrypting and/or authenticating all IP packets. IPsec provides security at the network layer.
IPsec is a set of cryptographic protocols for (1) securing packet flows and (2) key exchange. Of the former, there are two: Encapsulating Security Payload (ESP) provides authentication, data confidentiality and message integrity; Authentication Header (AH) provides authentication and message integrity, but does not offer confidentiality. Originally AH was only used for integrity and ESP was used only for encryption; authentication functionality was added subsequently to ESP. Currently only one key exchange protocol is defined, the IKE (Internet Key Exchange) protocol.
IPsec protocols operate at the network layer, layer 3 of the OSI model. Other Internet security protocols in widespread use, such as SSL and TLSr operate from the transport layer up (OSI layers 4-7). This makes IPsec more flexible, as it can be used for protecting both TCP and UDP-based protocols, but increases its complexity and processing overhead, as it does not rely on TCP (layer 4 OSI model) to manage reliability and fragmentation.
HAIPE (High Assurance Internet Protocol Encryptor) is the United States Department of Defense's analog of IPsec. HAIPE inline network encryptors (INE) exist today predominately in the form of software-based network stacks. In this architecture, all of the HAIPE functions, including traffic encapsulation that provides the security cover, are performed by layers of software within a processor. With current technology, it is not feasible to perform the encapsulation operations in a software stack at data rates beyond a few million bits per second.
Some methods of hardware acceleration exist to improve certain IP datagram processing operation. These methods include IP and higher (TCP, UDP) layer header checksum calculations and route table searches. Additional architecture variations make use of specialized network processors (NP) to partition the IP and higher layer operations. This approach uses fixed building blocks within a monolithic device and programmers model to process the datagram.