Manualshelf

HP-UX IPFilter Version A.03.05.14 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
141142143144145146147148149150
HP-UX IPFilter and IPSec
Allowing Protocol 50 and Protocol 51 Traffic
Chapter 9134
Allowing Protocol 50 and Protocol 51 Traffic
IPSec uses Encapsulating Security Payload (ESP) to provide data
confidentiality and Authentication Header (AH) to provide data integrity
at the IP layer. Depending on a users IPSec traffic policy configuration,
IPSec inserts ESP, AH, or both as protocol headers into an IP datagram
that immediately follows an IP header. The protocol field of that IP
header will be 50 (esp) or 51 (ah) to indicate the next protocol.
Figure 9-5 Packet with Unencrypted TCP Data
Figure 9-6 Packet with IPSec-Encrypted TCP Data
IPFilter never sees the TCP packets between machine A and machine B
with a protocol number of 6. These packets are encrypted (or wrapped) in
a packet that has a protocol number of 50. If you configure IPFilter to
block packets with protocol number 6, it lets protocol number 50 pass
through. IPSec takes apart the packet and unencrypt the TCP data.
TCP header
Data
IP header protocol # = 6
ESP header
Encrypted
IP header protocol # = 50