Page Content

Tutorials

Load more

What is AH Authentication Header? Functions and Limitations

CCNA
Jetipalli Lavaya
Author: Jetipalli Lavaya
4 min.read

AH Authentication Header

Within the IP Security (IPsec) architecture, the IETF developed two primary security protocols: the Encapsulating Security Payload (ESP) and the Authentication Header (AH). The purpose of the AH protocol is to give IP packet security services without compromising data secrecy (encryption).

AH’s main goal is to give IP packets data integrity and authentication. The Layer 4 IP Protocol number 51 is used by AH packets.

AH Authentication Header
AH Authentication Header

Core Security Functions

AH provides three main security services:

  • Data Integrity: This guarantees that the message hasn’t been altered while in transit. Strong integrity is another term for this.
  • Data Origin Authentication: Data origin authentication helps stop IP spoofing by validating the sender’s identity and ensuring that the packet actually came from the sending entity it purports to be.
  • Anti-Replay Protection: Replay protection is an optional feature offered by AH. A sequence number field in the AH header provides this protection by enabling the recipient to verify the sequence number and stop an attacker from replicating and then replaying an authenticated packet.

You can also read What Is OpenID Connect, Importance And Benefits Of OIDC

AH Mechanism and Packet Coverage

The AH protocol uses a shared secret key and a cryptographic hash function to accomplish its security objectives.

Mechanism

AH applies a one-way hash to a packet’s IP header and data.

  • Generation: A message digest produced by an algorithm like HMAC-MD5 or HMAC-SHA is used to guarantee data integrity. This message digest is created using a shared secret key, which ensures data origin authentication. Other algorithms used are SHA1, SHA2, or MD5, as well as particular methods like AES128_XCBC_96 or HMAC_SHA2_256_128.
  • Integrity Check Value (ICV): The sender computes an ICV (integrity check value) for the whole IP packet, which includes the transport-layer payload, the AH header (apart from the Authentication Data field itself), and all of the IP header’s immutable fields. The AH header’s Authentication Data field contains this computed hash.
  • Verification: Using the same secret key and algorithm, the recipient calculates the hash just as before. The packet is acknowledged as authentic if the receiver’s computed hash matches the ICV found in the received AH header; if not, it is rejected.

Packet Coverage

IP headers and their payloads are authenticated by AH. AH-style authentication authenticates the complete IP packet, including the outer IP header, in contrast to the ESP authentication method, which only authenticates the IP datagram component.

But not all of the IP header’s fields can be protected by AH. Because the recipient cannot foresee their value, it leaves out some changeable fields that may legitimately change while in transit. The following IPv4 mutable fields are not protected:

  • Time to live (TTL).
  • Type of service (TOS).
  • Flags.
  • Fragment offset.
  • Header checksum.

Modes of Operation

AH can operate in two modes:

  • Transport Mode: This mode safeguards the IP packet’s payload and facilitates end-to-end communication between two hosts. The original IP header and the original TCP header are separated in this manner by AH. AH only examines the payload when it is in transit mode.
  • Tunnel Mode: In gateway-to-gateway or VPN situations, this mode is employed. By enclosing the entire IP packet in a new packet, it provides protection. A new outer IP header and the original IP header are separated by the AH. The entire packet is checked when AH is utilized in tunnel mode.

You can also read Lightweight Extensible Authentication Protocol LEAP

Authentication Header Format Fields

The AH header includes several fields critical for its function:

  • Next Header: The sort of header that comes right after the AH is indicated by the Next Header, an 8-bit field.
  • Payload Length: An 8-bit field that holds the AH header’s length in 32-bit words, less two.
  • Reserved: A 16-bit field set to zero for future use.
  • Security Parameter Index (SPI): A 32-bit field called the Security Parameter Index (SPI) is essential for identifying every packet that is a part of the current connection, also referred to as a Security Association. The secret key and hashing algorithm are specified by the SA.
  • Sequence Number: A 32-bit field used for replay protection that is a counter that increases monotonically. Sequence number 1 is used in the initial packet sent, and it begins at 0. The connection must be terminated and re-established if all sequence numbers have been used.
  • Authentication Data (Integrity Check Value–ICV): Integrity Check Value (ICV), or authentication data, is a variable-length field that contains the message digest (ICV). The hashing algorithm that is selected determines its length.

Limitations and Current Usage

AH is not commonly deployed today and is considered less flexible than its counterpart, ESP.

  • Lack of Confidentiality: One significant drawback of AH is that it lacks data secrecy (encryption), meaning that intercepted data is still readable. When integrity is crucial, but encryption is either not necessary or is prohibited by law, AH is usually utilized.
  • Weak Protection: AH offers just mediocre protection when used on its own. Since ESP (Encapsulating Security Payload) provides both encryption and authentication, it is typically utilized instead.

Since ESP can offer both encryption and authentication, it is frequently used in modern systems when both are needed. For example, IKEv2 does not permit the use of both the ESP protocol for encryption and the AH protocol for authentication; if IKEv2 is being used, ESP should be used for both.

Analogy:

When attached to a physical letter, the Authentication Header (AH) functions as a verified tamper-proof seal and signature. The letter’s contents are not concealed (no encryption is used), but it does ensure two things: first, that the letter was indeed sent by the verified sender (authentication); and second, that the address information on the envelope (apart from the mutable postmark fields) and the contents of the letter have not been altered since the sender sealed it (integrity).

You can also read What is Single Sign On SSO, How it Works and Purpose

Previous article
What Is OpenID Connect, Importance And Benefits Of OIDC
Next article
What is Point to Point Topology Network, Pros and Cons
Jetipalli Lavaya
Jetipalli Lavaya

About Us 

Contact Us

Privacy Polacy

Disclaimer

© G Solutions

Index