Solved

Confused about AH and ESP in IPsec

Posted on 2006-10-25
1
287 Views
Last Modified: 2010-04-09
I'm a little confused.

1.) ESP does encryption to ensure confidentiality but it also does data origin authentication but doesn't authentication header (AH) in IPSEC already do authentication?

The only way this makes sense is that AH authentication ensures that the entire data packet including the header is basically from who it says it's from. And ESP Authentication is used to ensure that the payload in the data is exactly the data that was originally sent.

2.) When using ESP is the authenticaton part, optional (user option) or is it mandatory(default, non changable)?

0
Comment
Question by:iamuser
1 Comment
 
LVL 20

Accepted Solution

by:
calvinetter earned 350 total points
ID: 17808609
1)
>The only way this makes sense is that AH authentication ensures...
   I think you've pretty well got it.  AH authenticates as much of a packet as it can, including much of the IP header of the new packet created after applying AH to the original packet.  ESP authenticates "everything else" except the IP header of the new packet, ie just the "guts" of the new packet.

2)  Authentication is entirely optional with ESP.

For some basic but clear ASCII-art packet diagrams for each protocol, see the following:
  RFC for ESP:   http://www.ietf.org/rfc/rfc2406.txt?number=2406
                       Search for "BEFORE APPLYING ESP" (or go to pg 8) for the diagrams.
  RFC for AH:   http://www.ietf.org/rfc/rfc2402.txt?number=2402
                      Search for "BEFORE APPLYING AH" (or go to pg 5) for the diagrams.

Other more visual references:
  IPSec illustrated guide:  http://www.unixwiz.net/techtips/iguide-ipsec.html
  ESP:  http://docs.hp.com/en/J4256-90003/ch01s03.html
  AH:   http://docs.hp.com/en/J4256-90003/ch01s02.html

cheers
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Class Map is not matching traffic on Global Policy??? 2 51
Access shared drive during VPN session 9 107
Watchguard XTM 2 78
Hardening ScreenOS 8 109
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

806 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question