U5.10 Authentication Header

Implemented in transport or tunnel mode
1. In transport mode
  1. AH is placed between TCP and IP headers
    1. in this mode the comms endpoint and the IPSEC endpoint must coincide, only 1 header is used
      1. MAC cover the application data, TCP header and most of the IP header
2. Tunnel Mode
  1. Comms endpoint and IPSEC endpoint do not coincide
    1. An additional IP header is added and separated from the original IP header by the AH header
      1. Outer IP header contains the source and dest for the IPSEC end points
        Inner IP header contains the potentially different source and destination addresses of the comms endpoints
Vital to authenticate the Source IP address so that recipient is certain the comms received is genuine and forging of packets is prevented
1. AH authenticates source IP address
  1. This prevents the initiator from covering their tracks
Using AH all of the payload is authenticated and most of the header
1. components not authenticated are those modified on route
Protocol Steps
1. An authentication header is inserted into a datagram
  1. Header contains a Security Parameters Index (SPI) to help locate the Security Association (SA) with with the packet is processed
    1. Contains a sequence number to combat replay
      1. And a MAC to provide authentication protection
    2. SPI & SA provide a link to the encryption keys used to secure the comms

Resource summary

	Created by Craig Parker almost 11 years ago