While IP has proven to be an efficient and robust protocol when it comes to actually getting data across the Internet, it does not inherently provide any protection of that data. There are no facilities to provide confidentiality, or to ensure the integrity or authenticity of IP [31] datagrams. In order to remedy the security weaknesses of IP, a pair of protocols collectively called IP Security, or IPsec [3,16] for short, has been standardized by the IETF. The protocols are ESP (Encapsulating Security Payload) [2,15] and AH (Authentication Header) [1,14]. Both provide integrity, authenticity, and replay protection, while ESP adds confidentiality to the picture. IPsec can also be made to protect IP datagrams for other hosts. The IPsec endpoints in this arrangement thereby become security gateways and take part in a virtual private network (VPN) where ordinary IP packets are tunneled inside IPsec [36].
Network-layer security has a number of very important advantages over security at other layers of the protocol stack. Network-layer protocols are generally hidden from applications, which can therefore automatically and transparently take advantage of whatever network-layer encryption services that host provides. Most importantly, network-layer protocols offer a remarkable flexibility not available at higher or lower layers. They can provide security on an end-to-end (securing the data between two hosts), route-to-route (securing data passing over a particular set of links), edge-to-edge (securing data as it passes from a ``secure'' network to an ``insecure'' one), or a combination of these.