HP-UX IPSec version A.02.00 Administrator's Guide
HP-UX IPSec Overview
Encapsulating Security Payload (ESP)
Chapter 134
AES128-CBC is the most secure form of encryption for HP-UX IPSec.
AES128-CBC encryption throughput rates are comparable to or better
than DES-CBC and 3DES-CBC. For more information about HP-UX
IPSec performance, refer to the HP-UX IPSec Sizing and Performance
document available at www.docs.hp.com.
DES-CBC has been cracked (data encoded by DES has been decoded by a
third party).
For added security, use ESP with authentication, as described in “ESP
with Authentication and Encryption” on page 36.
Transport and Tunnel Modes
The ESP header can be used in transport mode or tunnel mode.
Transport Mode
In transport mode, the original IP header is followed by the ESP header.
Only the upper-layer (e.g., TCP, UDP, IGMP) is encrypted. The IP
header is not encrypted.
IPv6 In IPv6 ESP transport mode, IPSec inserts the ESP header after
the following headers and extensions:
• the basic IPv6 header
• hop-by-hop options
• any destination options needed to interpret the ESP header
• routing extensions
• fragment extensions
The items listed below follow the ESP header and are encrypted:
• any destination options needed only for the “final” destination and
not needed to interpret the ESP header