Authentication Header (AH)

Posted by AJ × 00:35
v AH is a member of the IPsec protocol suite.
v AH is intended to guarantee connectionless integrity and data origin authentication of IP packets.
v AH protects the IP payload and all header fields of an IP datagram except for mutable fields (i.e. those that might be altered in transit).
v In IPv4, mutable (and therefore unauthenticated) IP header fields include DSCP/TOS, Flags, Fragment Offset, TTL and Header Checksum.
v AH operates directly on top of IP, using IP protocol number 51.


The following AH packet diagram shows how an AH packet is constructed and interpreted:
1. An authentication header is added to the payload with the authentication data field set to zero.
2. Padding may be added to make the total length even for a particular hashing
algorithm. and it tells which hasing algorithm is used to calculate Authentication data.
3. Hashing is based on the total packet. However, only those fields of the IP header that do not change during transmission are included in the calculation of the message digest (authentication data).
4. The authentication data are inserted in the authentication header.
5. The IP header is added after the value of the protocol field is changed to 51. A brief description of each field follows:
§ Next header. The 8-bit next-header field defines the type of payload carried by the IP datagram (such as TCP, UDP, ICMP, or OSPF). It has the same function as the protocol field in the IP header before encapsulation. In other words, the process
copies the value of the protocol field in the IP datagram to this field. The value of
the protocol field in the new IP datagram is now set to 51 to show that the packet
carries an authentication header.
§ Payload length. The name of this 8-bit field is misleading. It does not define the length of the payload; it defines the length of the authentication header in 4-byte multiples, but it does not include the first 8 bytes.
§ Security parameter index. The 32-bit security parameter index (SPI) field plays the role of a virtual-circuit identifier and is the same for all packets sent during a connection called a security association (discussed later).
§ Sequence number. A 32-bit sequence number provides ordering information for a sequence of datagrams. The sequence numbers prevent a playback. Note that the sequence number is not repeated even if a packet is retransmitted. A sequence number does not wrap around after it reaches 2^32; a new connection must be established.
§ Authentication data. Finally, the authentication data field is the result of applying a hash function to the entire IP datagram except for the fields that are changed during transit (e.g., time-to-live).

The AH Protocol provides source authentication and data integrity, but not privacy.
Tags:
« Previous × Next »

Related Posts

0 comments