Chapter 6. The Authentication Header (AH)
The Authentication Header (AH) is an IPSec protocol used to provide data integrity, data origin authentication, and limited antireplay (the antireplay is optional) services to IP. AH does not provide any encryption services.
Since AH does not provide confidentiality, it does not require a cipher algorithm. It does, though, require an authenticator. AH defines the method of protection, the placement of the header, the authentication coverage, and input and output processing rules, but it does not define the authentication algorithm to use. Like its sibling protocol, ESP, AH does not mandate antireplay protection. The use of the antireplay services are solely at the discretion of the recipient and there is no way for a sender to know whether a receiver will check the sequence number. Consequently, the sender must always assume that antireplay services is being employed by the recipient.
AH can be used to protect an upper-layer protocol (transport mode) or an entire IP datagram (tunnel mode), just like ESP. In either case the AH header immediately follows an IP header. AH is defined over IP and an AH-protected IP packet is just another IP packet. Therefore, AH can be used alone or in conjunction with ESP. It can protect a tunneling protocol like L2TP or GRE or it can be used to tunnel packets. Like ESP, AH is a versatile security service for IP.
The data integrity that AH provides is subtly different than that provided by ESP; AH authenticates portions of the outer IP header as well.
Top IPSec (2nd Edition) ISBN: 013046189X
EAN: 2147483647 Year: 2004
Pages: 76 Authors: Naganand Doraswamy, Dan Harkins
flylib.com © 2008-2017. If you may any questions please contact us: flylib@qtcs.net |