This is an old revision of the document!

IPSEC Basic

Security Scheme	Difference
IPSEC	Security scheme operating in the Internet Layer of the Internet Protocol Suite
TLS/SSH	Security scheme operating in the upper layers of the TCP/IP model, like transport layer

IPSEC Protocol	Note
AH (Authentication Header)	provides source authentication & data integrity for IP datagrams. But it is not designed to provide confidentiality.
ESP(Encapsulating Security Payload)	provides source authentication, data integrity, and confidentiality.

IPSEC Mode	Protocol	Note
Transport	AH	only the payload of the IP packet is usually authenticated
Transport	ESP	only the payload of the IP packet is usually encrypted and/or authenticated
Tunnel Mode	AH	the entire IP packet is authenticated
Tunnel Mode	ESP	the entire IP packet is encrypted and/or authenticated

Terms

SP(Security policy)	a rule which decides whether a given flow needs to go for IPSec processing or not
SA(Security Association)	a bundle of algorithms and parameters (such as keys) that is being used to encrypt and authenticate a particular flow in one direction. IPsec uses the Security Parameter Index (SPI: an index to the security association database - SADB), along with the destination address in a packet header, which together uniquely identify a security association for that packet.

ESP Protocol	net/ipv4/esp4.c, net/ipv6/esp6.c
AH Protocol	net/ipv4/ah4.c, net/ipv6/ah6.c
XFRM framework	net/ipv4/xfrm4_policy.c and net/ipv6/xfrm6_policy.c
XFRM initialization	xfrm4_init() and xfrm6_init().