[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Confused about AH and ESP in IPsec

Posted on 2006-10-25
1
Medium Priority
?
309 Views
Last Modified: 2010-04-09
I'm a little confused.

1.) ESP does encryption to ensure confidentiality but it also does data origin authentication but doesn't authentication header (AH) in IPSEC already do authentication?

The only way this makes sense is that AH authentication ensures that the entire data packet including the header is basically from who it says it's from. And ESP Authentication is used to ensure that the payload in the data is exactly the data that was originally sent.

2.) When using ESP is the authenticaton part, optional (user option) or is it mandatory(default, non changable)?

0
Comment
Question by:iamuser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 20

Accepted Solution

by:
calvinetter earned 1400 total points
ID: 17808609
1)
>The only way this makes sense is that AH authentication ensures...
   I think you've pretty well got it.  AH authenticates as much of a packet as it can, including much of the IP header of the new packet created after applying AH to the original packet.  ESP authenticates "everything else" except the IP header of the new packet, ie just the "guts" of the new packet.

2)  Authentication is entirely optional with ESP.

For some basic but clear ASCII-art packet diagrams for each protocol, see the following:
  RFC for ESP:   http://www.ietf.org/rfc/rfc2406.txt?number=2406
                       Search for "BEFORE APPLYING ESP" (or go to pg 8) for the diagrams.
  RFC for AH:   http://www.ietf.org/rfc/rfc2402.txt?number=2402
                      Search for "BEFORE APPLYING AH" (or go to pg 5) for the diagrams.

Other more visual references:
  IPSec illustrated guide:  http://www.unixwiz.net/techtips/iguide-ipsec.html
  ESP:  http://docs.hp.com/en/J4256-90003/ch01s03.html
  AH:   http://docs.hp.com/en/J4256-90003/ch01s02.html

cheers
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question