The AH Header
AH is another IP protocol and has been assigned the number fifty-one (51). The protocol field of an AH-protected IPv4 datagram is 51 indicating that following the IP header is an AH header. In case of IPv6, the value of the next header field depends on the presence of extension headers. In the absence of extension headers, the next header field in the IPv6 header will be 51. In the presence of extension headers prior to the AH header, the next header field in the extension header immediately preceding the AH header is set to 51. The rules for inserting the AH header in IPv6 is similar to that described for ESP. When AH and ESP are protecting the same data, the AH header is always inserted after the ESP header. The AH header is much simpler than the ESP header because it does not provide confidentiality. There is no trailer as there is no need for padding and a pad length indicator. There is also no need for an initialization vector. The AH header is shown in Figure 6.1.
Figure 6.1. The AH header.
The next header field indicates what follows the AH header. In transport mode it will be the value of the upper-layer protocol being protected, for instance UDP or TCP. In tunnel mode, the value is 4 indicating IP-in-IP (IPv4) encapsulation or 41 for IPv6 encapsulation.
The payload length field indicates the length of the payload itself in 32-bit words minus two. AH is an IPv6 extension header, and according to RFC2460 its length is calculated by subtracting one 64-bit word from the length of the header in 64-bit words. But AH is measured in 32-bit words so we subtract two 32-bit words (or one 64-bit word). The reserved field is not used and must be set to zero.
The SPI field contains the SPI that, along with the destination address of the outer IP header, is used to identify the security association used to authenticate this packet.
The sequence number is a monotonically increasing counter that is identical to that used in ESP. Chapter 3 describes the antireplay function that the sequence number provides.
The authentication data field is a variable length field that contains the result of the integrity checking function. AH does not define an authenticator, but there are two mandatory-to-implement authenticators: HMAC-SHA-96 and HMAC-MD5-96. Like ESP, these are keyed MAC functions whose output is truncated to 96 bits. No public key authentication algorithms (like RSA or DSS) have been defined for use with AH. This is due to the cost; public key algorithms are too slow for bulk data authentication. In certain situations, such as network bootstrapping or the sending of SNMP traps, there is no bulk data protection and this limitation may not apply. For just this reason there is work being done to define the use of DSS with AH.
Top IPSec (2nd Edition) ISBN: 013046189X
EAN: 2147483647 Year: 2004
Pages: 76 Authors: Naganand Doraswamy, Dan Harkins
flylib.com © 2008-2017. If you may any questions please contact us: flylib@qtcs.net |