HP-UX IPSec version A.02.01 Administrator's Guide
HP-UX IPSec Overview
IPsec Protocol Suite
Chapter 1 37
IPsec Protocol Suite
The major components of the IPsec protocol suite can be divided into the
following categories:
• Encapsulating Security Payload (ESP) header for data
confidentiality, data integrity, and data authentication. The ESP
header also includes a sequence number that provides a form of
replay protection.
• Authentication Header (AH) for data integrity and
authentication. The AH header also includes a sequence number for
a form of replay protection.
• Internet Key Exchange (IKE) protocol, for generating and
distributing cryptography keys for ESP and AH. IKE also
authenticates the identity of the remote system, so AH and
authenticated ESP with IKE keys provides data origin
authentication.
• Manual Keys, an alternative to IKE. Instead of dynamically
generating and distributing cryptography keys for ESP and AH, the
cryptography keys are static and manually distributed. Manual keys
are typically used only when the remote system does not support
IKE, such as an Mobile IPv6 client.
Encapsulating Security Payload (ESP)
The IPsec Encapsulating Security Payload (ESP) uses shared key
encryption to provide data privacy and shared key hash functions to
provide data authentication and data integrity.
Shared Key Encryption
In shared key encryption, two parties know the same cryptographic
key. The sender (System A in Figure 1-1) encrypts the data with the key
to create encrypted data. The recipient (System B in Figure 1-1) decrypts
the encrypted data with the same key. Since only a holder of the