The IP Authentication Header (AH) is used to provide connectionless
integrity and data origin authentication for IP datagrams, and to provide
protection against replays. AH, defined in RFC 2402, provides authentication
for as much of the IP header as possible, as well as for upper level protocol
data. However, some IP header fields may change in transit. The value of these
fields may not be predictable by the sender, when the packet arrives at the
receiver. The values of such fields cannot be protected by AH. AH is defined as
IP protocol 51.
AH may be applied alone, in combination with the IP ESP,
or in a nested fashion through the use of tunnel mode. Security services can be
provided between a pair of communicating hosts, between a pair of communicating
security gateways, or between a security gateway and a host. ESP may be used to
provide the same security services, and it also provides a confidentiality, or
encryption, service. The primary difference between the authentication services
provided by ESP and AH is the extent of the coverage. Specifically, ESP does
not protect any IP header fields unless ESP encapsulates those fields, or the
fields are in tunnel mode
.
AH provides the packet authentication, integrity assurance, and replay
detection/protection via sequence numbers. However, no confidentiality or
encryption is provided
.
The AH Header Structure is shown in Figure
.
- A 32-bit Security Parameter Index (SPI) value shows the Security
Association (SA) used for this packet
- A 64-bit sequence number prevents packet replay
- Authentication data is a HMAC value of the packet
The following are reasons to use AH even though ESP seems to do all the
security services. First, AH requires less overhead than ESP. Second, AH is
never export-restricted. Finally, AH is mandatory for IPv6 compliance.