Solved

Confused about AH and ESP in IPsec

Posted on 2006-10-25
1
298 Views
Last Modified: 2010-04-09
I'm a little confused.

1.) ESP does encryption to ensure confidentiality but it also does data origin authentication but doesn't authentication header (AH) in IPSEC already do authentication?

The only way this makes sense is that AH authentication ensures that the entire data packet including the header is basically from who it says it's from. And ESP Authentication is used to ensure that the payload in the data is exactly the data that was originally sent.

2.) When using ESP is the authenticaton part, optional (user option) or is it mandatory(default, non changable)?

0
Comment
Question by:iamuser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 20

Accepted Solution

by:
calvinetter earned 350 total points
ID: 17808609
1)
>The only way this makes sense is that AH authentication ensures...
   I think you've pretty well got it.  AH authenticates as much of a packet as it can, including much of the IP header of the new packet created after applying AH to the original packet.  ESP authenticates "everything else" except the IP header of the new packet, ie just the "guts" of the new packet.

2)  Authentication is entirely optional with ESP.

For some basic but clear ASCII-art packet diagrams for each protocol, see the following:
  RFC for ESP:   http://www.ietf.org/rfc/rfc2406.txt?number=2406
                       Search for "BEFORE APPLYING ESP" (or go to pg 8) for the diagrams.
  RFC for AH:   http://www.ietf.org/rfc/rfc2402.txt?number=2402
                      Search for "BEFORE APPLYING AH" (or go to pg 5) for the diagrams.

Other more visual references:
  IPSec illustrated guide:  http://www.unixwiz.net/techtips/iguide-ipsec.html
  ESP:  http://docs.hp.com/en/J4256-90003/ch01s03.html
  AH:   http://docs.hp.com/en/J4256-90003/ch01s02.html

cheers
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question