?
Solved

Confused about AH and ESP in IPsec

Posted on 2006-10-25
1
Medium Priority
?
305 Views
Last Modified: 2010-04-09
I'm a little confused.

1.) ESP does encryption to ensure confidentiality but it also does data origin authentication but doesn't authentication header (AH) in IPSEC already do authentication?

The only way this makes sense is that AH authentication ensures that the entire data packet including the header is basically from who it says it's from. And ESP Authentication is used to ensure that the payload in the data is exactly the data that was originally sent.

2.) When using ESP is the authenticaton part, optional (user option) or is it mandatory(default, non changable)?

0
Comment
Question by:iamuser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 20

Accepted Solution

by:
calvinetter earned 1400 total points
ID: 17808609
1)
>The only way this makes sense is that AH authentication ensures...
   I think you've pretty well got it.  AH authenticates as much of a packet as it can, including much of the IP header of the new packet created after applying AH to the original packet.  ESP authenticates "everything else" except the IP header of the new packet, ie just the "guts" of the new packet.

2)  Authentication is entirely optional with ESP.

For some basic but clear ASCII-art packet diagrams for each protocol, see the following:
  RFC for ESP:   http://www.ietf.org/rfc/rfc2406.txt?number=2406
                       Search for "BEFORE APPLYING ESP" (or go to pg 8) for the diagrams.
  RFC for AH:   http://www.ietf.org/rfc/rfc2402.txt?number=2402
                      Search for "BEFORE APPLYING AH" (or go to pg 5) for the diagrams.

Other more visual references:
  IPSec illustrated guide:  http://www.unixwiz.net/techtips/iguide-ipsec.html
  ESP:  http://docs.hp.com/en/J4256-90003/ch01s03.html
  AH:   http://docs.hp.com/en/J4256-90003/ch01s02.html

cheers
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question