If you're using a simple hash of a file to guarantee file-integrity, then an attacker could modify the file, re-calculate the hash of the modified file, and replace the old hash with the modified one.

With a HMAC, a key is used when calculating the hash value, so unless the attacker has the key, they're unable to calculate a valid hash value of the modified data.

IPsec uses two types of algorithms

1. authentication algorithms
2. encryption algorithms

authentication: use a shared key to verify the identity of the sending IPsec device. The IPsec protocol suite defines two authentication algorithms: MD5 and SHA-1. The Services Router uses an HMAC variant of MD5 and SHA-1 algorithms that provide an additional level of hashing.

Encryption algorithms: use a shared key to verify the authenticity of the IPsec devices.

1. DES, 3DES,
2. AES-CBC 128, 192, and 256,
3. AES-GCM 128, 192, and 256.

Note: AES-GCM is both an integrity and encryption algorithm and is described in the Integrity algorithms section.

Authentication methods: Authentication methods define the way in which a computer or user can securely assert identity to a remote computer. The methods involve sharing credentials that can be cryptographically verified, proving that the sending computer or user is who it claims to be.

1. Preshared key
2. Kerberos V5
3. Certificate
4. NTLMv2
5. Certificate with ECDSA P-256 and ECDSA P-384

Integrity algorithms:Data integrity algorithms help ensure that a network packet received from a remote computer was not modified in transit. The sending computer calculates a hash value from the data payload of the network packet. This hash is then cryptographically signed and attached to the network packet. The receiving computer performs the same calculation on the data payload of the packet and compares it to the hash that was attached by the sender. If the hashes match, then the data is the same as it was transmitted and the receiving computer accepts the packet. If the hash values do not match, then the packet was altered between the source and the destination and the receiving computer drops the packet. Data integrity algorithms do not encrypt the data; encryption protocols must be used for that purpose.

1. MD5
2. SHA-1, SHA-256, and SHA-384
3. AES-GMAC 128, 192, and 256
4. AES-GCM 128, 192, and 256

IPSEC features:

1. Data confidentiality—The IPSec sender can encrypt packets before transmitting them across a network.
2. Data integrity—The IPSec receiver can authenticate packets sent by the IPSec sender to ensure that the data has not been altered during transmission.
3. Data origin authentication—The IPSec receiver can authenticate the source of the IPSec packets sent. This service is dependent upon the data integrity service.
4. Antireplay—The IPSec receiver can detect and reject replayed packets.

static int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb)

  Authentication—The assurance to one entity that another entity is who he/she/it claims to be.

  Integrity—The assurance to an entity that data has not been altered (intentionally or unintentionally) between "there" and "here," or between "then" and "now."

  Confidentiality—The assurance to an entity that no one can read a particular piece of data except the receiver(s) explicitly intended.