Authentication header

The authentication header (AH) authenticates IP traffic and ensures you connect with who you want to connect. The authentication header can detect if data is altered in transit and protect against replay attacks. The authentication header does not encrypt traffic.

The authentication header provides a small header that precedes the payload with the use of the security parameters index (SPI) and sequence number. The authentication header provides:
  • IP datagram sender authentication by HMAC or MAC

  • IP datagram integrity assurance by HMAC or MAC

  • Replay detection and protection by sequence number

The IPsec feature inserts the AH header after the IP header in transport mode. Transport mode with AH authenticates only the payload of the IP packet.

Tunnel mode authenticates the entire IP packet, including the IP header and data, to provide a secure hop between two hosts, two routers, or a router and a host.

You can apply AH alone, or in combination with the Encapsulating Security Payload (ESP).

The following figures show an original IP packet and an IP packet with an AH header.

Click to expand in new window
Original IP packet
Click to expand in new window
AH in transport mode