This brought together various vendors including Motorola who produced crypto ipsec client network encryption device in 1988. From 1992 to 1995, various research groups improved upon SDNS’s SP3. SIPP project to research and implement IP encryption.
IP Security Working Group formed to standardize these efforts as an open, freely available set of security extensions, called IPsec . The IPsec is an open standard as a part of the IPv4 suite. IP datagrams and provides protection against replay attacks. In IPv4, AH prevents option-insertion attacks. In IPv6, AH protects both against header insertion attacks and option insertion attacks. In IPv6, the AH protects most of the IPv6 base header, AH itself, non-mutable extension headers after the AH, and the IP payload. Protection for the IPv6 header excludes the mutable fields: DSCP, ECN, Flow Label, and Hop Limit.
AH operates directly on top of IP, using IP protocol number 51. Type of the next header, indicating what upper-layer protocol was protected. The value is taken from the list of IP protocol numbers. The length of this Authentication Header in 4-octet units, minus 2.
When replay detection is enabled, sequence numbers are never reused, because a new security association must be renegotiated before an attempt to increment the sequence number beyond its maximum value. ESP in transport mode does not provide integrity and authentication for the entire IP packet. The IPsec protocols use a security association, where the communicating parties establish shared security attributes such as algorithms and keys. As such IPsec provides a range of options once it has been determined whether AH or ESP is used.
The algorithm for authentication is also agreed before the data transfer takes place and IPsec supports a range of methods. Authentication is possible through pre-shared key, where a symmetric key is already in the possession of both hosts, and the hosts send each other hashes of the shared key to prove that they are in possession of the same key. For IP multicast a security association is provided for the group, and is duplicated across all authorized receivers of the group. There may be more than one security association for a group, using different SPIs, thereby allowing multiple levels and sets of security within a group.