Question & Answer
What is the difference between the Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols of IPSec?
The AH protocol provides a mechanism for authentication only. AH provides data integrity, data origin authentication, and an optional replay protection service. Data integrity is ensured by using a message digest that is generated by an algorithm such as HMAC-MD5 or HMAC-SHA. Data origin authentication is ensured by using a shared secret key to create the message digest. Replay protection is provided by using a sequence number field with the AH header. AH authenticates IP headers and their payloads, with the exception of certain header fields that can be legitimately changed in transit, such as the Time To Live (TTL) field.
The ESP protocol provides data confidentiality (encryption) and authentication (data integrity, data origin authentication, and replay protection). ESP can be used with confidentiality only, authentication only, or both confidentiality and authentication. When ESP provides authentication functions, it uses the same algorithms as AH, but the coverage is different. AH-style authentication authenticates the entire IP packet, including the outer IP header, while the ESP authentication mechanism authenticates only the IP datagram portion of the IP packet.
For a dynamic tunnel, the choice of IPSec protocol is configured using the IpDataOffer statement in an IP security policy configuration file. For a manual tunnel, the choice of IPSec protocol is configured using the IpManVpnAction statement in an IP security policy configuration file.
To specify the IPSec protocol, specify either AH or ESP on the HowToAuth parameter of the IpDataOffer statement (for dynamic tunnels) or the IpManVpnAction statement (for manual tunnels), along with the name of the algorithm used to encode authentication data in either AH or ESP headers. For dynamic tunnels, the default value is is ESP HMAC_MD5.
Was this topic helpful?
24 May 2017