swIPe provides confidentiality, integrity, and authentication of network traffic, and can be used to provide both end-to-end and intermediate-hop security. swIPe is concerned only with security mechanisms. The protocol does not handle policy and key management, which are handled outside the protocol. It works by augmenting each packet with a cryptographically-strong authenticator and/or encrypting the data to be sent.
swIPe encapsulates each IP datagram to be secured inside a swIPe packet. A swIPe packet is an IP packet of protocol type 53. A swIPe packet starts with a header, which contains identifying data and authentication information; the header is followed by the original IP datagram, which in turn is followed by any padding required by the security processing. Depending on the negotiated policy, the sensitive part of the swIPe packet (the authentication information and the original IP datagram) may be encrypted.
Cisco routers and switches running IOS have been found vulnerable to Denial of Service (DoS) attacks which may result from processing packets with IP Protocol 53.
- John Ioannidis and Matt Blaze (December 1993). "The swIPe IP Security Protocol INTERNET DRAFT". Columbia University and AT&T Bell Labs.
- "Assigned Internet Protocol Numbers". Internet Assigned Numbers Authority (IANA).
- "RFC5237". Internet Engineering Task Force (IETF).
- Security advisory for Cisco products