• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 312
  • Last Modified:

Confused about AH and ESP in IPsec

I'm a little confused.

1.) ESP does encryption to ensure confidentiality but it also does data origin authentication but doesn't authentication header (AH) in IPSEC already do authentication?

The only way this makes sense is that AH authentication ensures that the entire data packet including the header is basically from who it says it's from. And ESP Authentication is used to ensure that the payload in the data is exactly the data that was originally sent.

2.) When using ESP is the authenticaton part, optional (user option) or is it mandatory(default, non changable)?

0
iamuser
Asked:
iamuser
1 Solution
 
calvinetterCommented:
1)
>The only way this makes sense is that AH authentication ensures...
   I think you've pretty well got it.  AH authenticates as much of a packet as it can, including much of the IP header of the new packet created after applying AH to the original packet.  ESP authenticates "everything else" except the IP header of the new packet, ie just the "guts" of the new packet.

2)  Authentication is entirely optional with ESP.

For some basic but clear ASCII-art packet diagrams for each protocol, see the following:
  RFC for ESP:   http://www.ietf.org/rfc/rfc2406.txt?number=2406
                       Search for "BEFORE APPLYING ESP" (or go to pg 8) for the diagrams.
  RFC for AH:   http://www.ietf.org/rfc/rfc2402.txt?number=2402
                      Search for "BEFORE APPLYING AH" (or go to pg 5) for the diagrams.

Other more visual references:
  IPSec illustrated guide:  http://www.unixwiz.net/techtips/iguide-ipsec.html
  ESP:  http://docs.hp.com/en/J4256-90003/ch01s03.html
  AH:   http://docs.hp.com/en/J4256-90003/ch01s02.html

cheers
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now