để giữ cho số trình tự lặp đi lặp lại cho một SA. Khi IPsec SA mới được thành lập, số thứ tự cho SA mới bắt đầu từ 0. Nếu số thứ tự cho một gói tin đến là quá xa ra khỏi chuỗi hoặc nếu nó phù hợp với một số trình tự thời gian gần đây nhận được, gói tin sẽ bị loại. | Chapter 18 Internet Protocol Security IPsec 375 to keep the Sequence Number from repeating for an SA. When the new IPsec SA is established the Sequence Number for the new SA starts at 0. If the Sequence Number for an incoming packet is too far out of sequence or if it matches a recently received sequence number the packet is discarded. Authentication Data A variable-length field that contains the ICV calculation of the sender. In Windows Server 2008 and Windows Vista this is the hash-based message authentication code HMAC Message Digest 5 MD5 or HMAC Secure Hash Algorithm 1 SHA1 keyed hash value. The Authentication Data field provides data origin authentication and data integrity security services. The size of the Authentication Data field for both the HMAC MD5 and HMAC SHA1 is 12 bytes 96 bits long. For an arbitrary ICV algorithm the Authentication Data field size must be an integral number of 32-bit 4-byte blocks and will be extended with padding if needed. More Info All of the RFCs referenced in this chapter can be found in the Standards Chap18_IPsec folder on the companion CD-ROM. IPsec has two modes of protection Transport mode Typically used for IPsec peers doing end-to-end security. Transport mode provides protection for IP packet payloads by adding an extra header or trailer between the original IP datagram and its payload. Transport mode is typically used within an organization. Tunnel mode Typically used by network routers to protect IP datagrams when forwarding traffic over an insecure transit network. Tunnel mode provides protection for entire IP datagrams by encapsulating the IP datagram with an IPsec header trailer and an additional IP header. Tunnel mode is typically used outside an organization when connecting sites across a public network such as the Internet. AH Transport Mode Figure 18-2 shows AH Transport mode for an IP datagram. The AH is added to the IP datagram just after the IP header. In the IP header the Protocol field is set to 51 0x33 to