Use Secure Pseudorandom Functions for IPsec Connections
Use secure methods for IPsec connections to ensure data integrity and security.
Plain language
This control is about making sure the way we secure our Internet data links is as strong as possible. If we don't use the best methods for securing these data links, which are recommended by experts, our sensitive information may be exposed to cyber threats or data breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographySection
Internet Protocol SecurityTopic
Pseudorandom FunctionOfficial control statement
PRF_HMAC_SHA2_256, PRF_HMAC_SHA2_384 or PRF_HMAC_SHA2_512 is used for IPsec connections, preferably PRF_HMAC_SHA2_512.
Why it matters
Using weak or non-approved IPsec PRFs can allow key derivation attacks, reducing tunnel integrity/confidentiality and risking data exposure.
Operational notes
Verify IPsec proposals use PRF_HMAC_SHA2_256/384/512 (prefer 512); reject weaker PRFs and regularly audit configuration drift.
Implementation tips
- IT Managers should ensure that the organisation's network configuration uses the recommended secure methods for IPsec connections. This involves checking the configurations for IPsec to verify that PRF_HMAC_SHA2_256, PRF_HMAC_SHA2_384, or PRF_HMAC_SHA2_512 is being used, preferably opting for PRF_HMAC_SHA2_512.
- Network Administrators need to update the IPsec settings to the highest level of security available. They should access the network settings, locate the IPsec configuration section, and select PRF_HMAC_SHA2_512 as the pseudorandom function where applicable.
- IT Security Officers should review and update security policies regarding IPsec to align with the latest guidance. They need to look at the current policies, identify any outdated practices, and update them to reflect the use of improved pseudorandom functions such as PRF_HMAC_SHA2_512.
- System Owners should conduct regular training sessions to keep their IT staff informed about the importance of using secure pseudorandom functions for IPsec. Organise workshops or training days where the significance of these security measures and their impact on organisational security is clearly explained.
- Procurement Officers should include specifications that require the use of secure pseudorandom functions in any new contract for network equipment or services. They need to ensure that the contracts emphasize the necessity for IPsec configurations to support the preferred options like PRF_HMAC_SHA2_512.
Audit / evidence tips
-
Askthe network configuration documentation: Request detailed records of the current IPsec setup. Look to see if the documentation specifies the use of PRF_HMAC_SHA2_256, PRF_HMAC_SHA2_384, or preferably PRF_HMAC_SHA2_512
Goodis clear documentation showing the implemented pseudorandom function and its effective date
-
Askthe IT policy documents: Request the policy documents related to network security and IPsec implementation
Goodincludes a policy document that is up-to-date and specifically mandates these secure functions
-
Askevidence of staff training on IPsec security: Request records of recent training sessions related to IPsec and secure techniques
Goodwould be materials that explicitly cover pseudorandom functions and attendance lists showing staff participation
-
Askto see recent purchase agreements for network equipment: Request contract or purchase documents for network hardware or services
Goodwould include contracts specifying secure configuration requirements before purchase
-
Askthe system logs: Request access to logs that monitor the IPsec connections
Goodis logs clearly showing the application of these settings on current connections
Cross-framework mappings
How ISM-1772 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1772 mandates the use of approved, strong PRFs for IPsec connections (PRF_HMAC_SHA2_256/384/512) to ensure robust cryptographic opera... | |
| link Related (1) expand_less | ||
| Annex A 8.20 | Annex A 8.20 requires networks to be secured, including the protection of communications and inter-network connections | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.