This preview shows page 1. Sign up to view the full content.
Unformatted text preview: cation: Enables a network device to
authenticate a user.
Anti-replay service (optional) Authentication IP Header Payload Data 8 bits 8 bits
Word 1 AH 16 bits Next Header AH Payload Length Reserved Word 2 Security Parameters Index (SPI) Word 3 Sequence Number Word 4 - Integrity Check Value –ICV (variable)
32 bits VPN IPsec IKE v2 TLS M. Mogollon – 01/08 - 19 • The AH protocol, RFC 4302, defines the format for IPsec packets that require data origin
authentication, connectionless integrity, and anti-replay services only. The AH does not encrypt
the data portion of the packet. AH may be applied alone, in combination with ESP, or in a nested
fashion through the use of tunnel mode. A description of each of the different fields is given
• Next Header: Identifies the type of header of the next payload after the Authentication Header.
• Payload Length: Specifies the length of AH in 32-bit words (4-byte units), minus "2".
• Reserved: This 16-bit field is reserved for future use.
• Security Parameters Index (SPI): The SPI is an arbitrary 32-bit value that, in combination with
the destination IP address and security protocol (AH), uniquely identifies the Security
Association for the datagram. The SPI tells which security protocols are being used. The
algorithms and keys are included in this field.
• Sequence Number: This field contains a monotonically increasing counter value (sequence
number) that tells how many packets have been sent and provides anti-replay protection. The
sender's counter and the receiver's counter are initialized to 0 when an SA is established. The first
packet sent using a given SA will have a Sequence Number of 1.
• Integrity Check Value: This variable-length field contains the Integrity Check Value (ICV) for
the packet. The field must be an integral multiple of 32 bits in length. The authentication
algorithm employed for the ICV computation is specified by the SA. For point-to-point
communication, suitable authentication algorithms include keyed Message Authentication Codes
(HMACs) based on symmetric encryption algorithms (e.g., AES) or on one-way hash functions
(e.g., MD5 or SHA1).
• The mandatory-to-implement authentication algorithms are: HMAC-SHA-1-96; AES-XCBCMAC-96; HMAC-MD5-96. 19 VPN, IPSec and TLS Encapsulation Security Payload (ESP)
• Data Integrity + Aut...
View Full Document
This note was uploaded on 05/26/2010 for the course TECH 6350 taught by Professor Mogollon during the Spring '10 term at University of Arkansas for Medical Sciences.
- Spring '10