flow confidentiality. It operates at the IP layer using the IP port 50. ESP does not protect the IP packet header unlike AH, even though this can be accomplished in the tunnel mode where the entire IP packet is encapsulated in a new packet and thus is protected by ESP. These protocols can be used in combination, or alone to provide a certain set of security services in IPv4/IPv6. Another important concept is the Security Association (SA) which is the basis for security functions in IP. A SA is a unidirectional connection that works with either AH or ESP to provide authentication and encryption of that particular flow in the connection. It is identified by a Security Parameter Index (SPI), the IP destination address and the security protocol identifier (AH or ESP). If both AH and ESP are used to secure a traffic flow then two or more SAs are needed to reach this goal. Since these security services use the concept of shared secret values characterized by the use of cryptographic keys, IPSec relies on another set of mechanisms to manage these keys. The most famous approach in this context is the use of the public key based approach Internet Key Exchange (IKE) which provides an automatic key management mechanism. As far as the Zeroconf is concerned, the shared group key can be put in place by bootstrapping the IKE protocol which uses the Diffie-Hellman [15] that provides some kind of external authentication to prevent mainly man in the middle attacks. This can be an expensive operation for some resource-constrained end devices that can be found in Zeroconf networks. The problem that arises with the bootstrapping solution is that IKE provides SA negotiation between two entities having unicast addresses. This means that even though IPSec can secure broadcast and multicast traffic there is no way to automatically negotiate the SA. To address this issue, two solutions can be used: