IPSec - Authentication Header (AH)

AH stands for Authentication Header, and it is a component of the IPsec protocol suite used to provide security for IPv4 and IPv6 communications. Unlike ESP (Encapsulating Security Payload), which provides confidentiality, integrity, and authentication, AH focuses primarily on providing integrity and authentication for IP packets. Here are the key aspects of AH in the context of IPsec:

  1. Authentication and Integrity: AH provides authentication of the source of the IP packets and ensures integrity of the data in transit. It achieves this by appending an authentication header to each packet, which includes a cryptographic checksum or hash of the packet contents. This hash is calculated using a shared secret key, ensuring that any alteration of the packet data in transit can be detected.
  2. Protection Against Replay Attacks: AH includes a sequence number in the header of each packet, which helps in protecting against replay attacks. A replay attack involves an attacker capturing a valid data packet and retransmitting it to create unauthorized effects. The sequence number ensures that packets are processed in order and any duplicates can be detected.
  3. No Confidentiality: Unlike ESP, AH does not provide encryption of the payload data. This means that while AH ensures that the data has not been tampered with and is from a legitimate source, it does not prevent someone from seeing the contents of the packet if they intercept it.
  4. Modes of Operation: AH can be used in two modes:
    • Transport Mode: In transport mode, AH authenticates the entire packet except for some fields in the IP header that might be modified in transit, like the Time-to-Live (TTL) field.
    • Tunnel Mode: In tunnel mode, a new IP header is created, and AH authenticates the entire inner IP packet (including the original IP header) along with the new outer IP header.
  5. Compatibility Issues: One issue with AH is that it can have compatibility problems with Network Address Translation (NAT) because NAT modifies the IP header, which AH treats as tampering.
  6. Usage Context: AH is often used in situations where integrity and authentication are required but confidentiality is either not necessary or is provided by other means. In many practical IPsec implementations, ESP (with its optional authentication capabilities) is more commonly used than AH.

AH in the IPsec protocol suite provides authentication and integrity verification for IP packets but does not offer confidentiality. Its use is context-dependent, based on the security requirements of the network communication.

See also: IPSec - ESP vs AH

https://networklessons.com/cisco/ccie-enterprise-infrastructure/ipsec-internet-protocol-security#Authentication_Header_Protocol