HP-UX IPSec version A.02.01 Administrator's Guide
HP-UX IPSec Overview
IPsec Protocol Suite
Chapter 146
The entire packet is used to calculate the authentication value. Mutable
and unpredictable fields and options, such as timestamp and traceroute
options, are assigned a zero value before calculating the authentication
value.
Figure 1-10 IPv6 AH Transport Mode
IPv6 AH Tunnel Mode In IPv6 AH tunnel mode, the packet layout is
the same as IPv4 AH tunnel mode, except that the original and new
(outer) IP headers may include header extensions.
Figure 1-11 IPv6 AH Tunnel Mode
Nested ESP in AH
An ESP packet can be nested within an AH packet. For example, an ESP
packet using AES and SHA1 can be nested within an AH MD5 packet.
IPsec uses a key to encrypt the payload using AES, and a second key to
generate an ESP SHA1 authentication value. The ESP SHA1
authentication value authenticates the IP payload and parts of the ESP
header. IPsec then nests the ESP packet within an AH packet, using a
third key to generate the AH MD5 authentication value. The AH MD5
authentication value authenticate the IP packet header and payload,
except the mutable fields of the IP header.