Manualshelf

HP-UX IPSec version A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
41424344454647484950
HP-UX IPSec Overview
IPsec Protocol Suite
Chapter 144
WARNING DES-CBC has been cracked (data encoded by DES has been
decoded by a third party). HP recommends that you use DES
only when you are required to so for compatibility reasons or
because of legal restrictions.
Non-Authenticated ESP
ESP encryption takes the data carried by IP, such as a TCP packet, and
encrypts it using a cryptographic key. The receiving IPsec ESP entity
uses the same key to decrypt the cipher text and extract the original
data.
Authentication Header (AH)
The IPsec Authentication Header (AH) provides integrity and
authentication but no privacy—the IP data is not encrypted. The AH
contains an authentication value based on a symmetric-key hash
function. Because AH does not encrypt data, it is not commonly used.
However, AH provides one feature that ESP does not: AH authenticates
non-mutable fields in the IP header (fields that do not change in transit,
including source and destination addresses). For this reason, AH is
sometimes used with ESP, by nesting an ESP packet within an AH
packet.
HP-UX IPSec supports the following authentication algorithms for AH:
HMAC-SHA1
HMAC-MD5
Transport and Tunnel Modes
AH can be used in transport mode or tunnel mode.
Transport Mode In transport mode, IPsec inserts the AH header with
the authentication value after the IP header. The IP data and header are
used to calculate the AH authentication value. Mutable fields in the IP
header (fields might change in transit), such as “hop count,” and “time to