HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

Figure 1-8 AH in Transport Mode

IP Header AH Header

authenticated

Payload

AH Transport Mode

Tunnel Mode

In tunnel mode, IPsec encloses, or encapsulates, the original IP datagram, including the original

IP header, within a second IP datagram. All of the original IP datagram, including all fields of

the original header, is authenticated. Figure 1-9 shows AH in tunnel mode.

Figure 1-9 AH in Tunnel Mode

New IP Header AH Header IP Header

authenticated

Payload

AH Tunnel Mode

IPv6 AH Transport Mode

In IPv6 AH transport mode, IPsec inserts the AH after the following headers and extensions:

• the basic IPv6 header

• hop-by-hop options

• any destination options needed to interpret the AH header

• routing extensions

• fragment extensions

The items listed below follow the AH:

• any destination options needed only for the “final” destination and not needed to interpret

the AH header

• the IP data or payload (e.g., TCP or UDP packet)

The entire packet is used to calculate the authentication value. Mutable and unpredictable fields

and options, such as timestamp and traceroute options, are assigned a zero value before calculating

the authentication value.

Figure 1-10 IPv6 AH Transport Mode

IP Header

Extension

Headers (a)

AH Header

authenticated

Destination

Options (b)

Payload

AH Transport

Mode

IPv6 AH Tunnel Mode

In IPv6 AH tunnel mode, the packet layout is the same as IPv4 AH tunnel mode, except that the

original and new (outer) IP headers may include header extensions.

Figure 1-11 IPv6 AH Tunnel Mode

New

IP Header

New

Extension

Headers

AH Header IP Header

authenticated

Extension

Headers

Payload

AH Tunnel

Mode

IPsec Protocol Suite 37