April 11, 2011, 2:06 a.m.
posted by sodog
In general, there are three possibilities to implement the IPsec architecture (with or without key management) and to place the implementation in a host or security gateway:
The most simple and straightforward possibility is to integrate the IPsec protocols into a native IP implementation. This is applicable to hosts and security gateways, but requires access to the corresponding source code.
Another possibility is provided by so-called "bump-in-the-stack" (BITS) implementations. In these implementations, IPsec is implemented underneath an existing IP stack, between the native IP implementation and the local network drivers. Source code access for the IP stack is not required in this case, making it appropriate for use with legacy systems. This approach, when it is adopted, is usually employed with hosts.
A somewhat related possibility is provided by so-called "bump-in-the-wire" (BITW) implementations. Similar to BITS implementations, source code access for the IP stack is not required for BITW implementations. But in addition to BITS implementations, additional hardware in the form of outboard cryptographic processors are typically used. This is a common design feature of network security systems used by the military, and of some commercial systems as well. BITW implementations may be designed to serve both hosts and security gateways.
As of this writing, most IPsec implementations are either BITS or BITW. For example, PGPnet is a BITS implementation, whereas most firewall products that support IPsec for virtual private networking are BITW implementations. The dominance of BITS or BITW implementations is expected to change in the future, because more vendors of networking software have integrated or are about to integrate the IPsec protocols into their products. For example, Windows 2000 comes along with IPsec support and the Cisco IOS also provides support for the IPsec protocols in the more recent releases.