AH or Authentication Header is one the protocols of IPSec and it provides connectionless datagram’s (integrity), data origin authentication and anti-replay service (optional). AH provides validation on the IP layer or the next higher level. Although it maybe effective in someway, some IP header fields or values of these fields may change along the way and it cannot be protected by AH. This means that AH protection provided to the IP header is just bit by bit and not fully controlled. AH may stand alone, nested or in combination with ESP (Encapsulating Security Payload).
AH services can be between hosts or between hosts and gateways or between to gateways. The advantage of AH over ESP is the extent of coverage. Unfortunately, ESP needs to group (encapsulate) header fields before it can really protect it while AH can protect the IP header directly. Like ESP, AH also offer anti-replay capability on the discretion of the receiver and partial IP header authentication. AH can operate in two modes, transport and tunnel mode. With VPN, AH is being use in tunnel mode to create a new IP datagram.
AH in tunnel mode, will provide full protection of the encapsulated IP datagram and permit the firewall to direct datagram’s that utilize private IP addresses. More often, VPN uses both ESP and AH to ensure total security solution. AH HEADER 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Next header Length 0 Security Parameters Index Sequence number Authentication Data ::: “Next header” specifies the next encapsulated protocol having 8 bits, the “Length” is 8 bit, and part of a 32 bits Authentication Data payload and the other parts are cleared to zero value.
SPI (Security Parameters Index) is a 32 bit pseudo random value to identify the security association for the above datagram. No security association if zero. Value ranges from 1 to 255 are reserved. Sequence Number is 32 bits, Authentication Data must contain a multiple of 32 bits word.
References:
iSeries Information Center, (n. d. ), “Authentication Header (AH) Protocol”, [online], http://www. redbooks. ibm. com/pubs/html/as400/v4r5/ic2924/index. htm? info/RZAFM241AHDEFANDCO. HTM Network Sorcery, (n. d. ), “AH-Authentication Header”, [online], www. networksorcery. com/enp/protocol/ah. htm