The IPSec Authentication
Header (AH) provides integrity and authentication but no privacy--the
IP data is not encrypted. The AH contains an authentication value
based on a symmetric-key hash function.
Symmetric
key hash functions are a type of cryptographic hash function
that take the data and a key as input to generate an authentication
value. Cryptographic hash functions are usually one-way functions,
so that starting with a hash output value, it is difficult to create
an input value that would generate the same output value. This makes
it difficult for a third party to intercept a message and replace
it with a new message that would generate the same authentication
value.
Symmetric key hash functions are also known as shared key hash functions
because the sender and receiver must use the same (symmetric) key
for the hash functions. In addition, the key must only be known
by the sender and receiver, so this class of hash functions is sometimes
referred to as secret key hash functions.
In the example below, the sender uses the plaintext and shared
secret key to calculate an authentication value and sends the authentication value
with the plaintext. The recipient computes its own authentication value
using the same shared secret key and the plaintext. The recipient then
compares the result with the transmitted authentication value. If the
values match, the recipient is assured that the sender knows the same
secret key, confirming the identity of the sender. The recipient
is also assured that the data was not altered during transit.
HP-UX IPSec supports the following algorithms for AH:
HMAC-SHA1 (Hashed
Message Authentication Code-Secure Hash Algorithm 1, 128-bit key)
HMAC-MD5 (HMAC-Message
Digest 5, 160-bit key)
Transport
and Tunnel Modes |
 |
The IPSec headers (AH and ESP) can be used in transport mode
or tunnel mode.
In transport
mode, IPSec inserts the AH header after the IP header. The IP data
and header are used to calculate the AH authentication value. Mutable
fields in the IP header (fields that need to change in transit), such
as “hop count,” and “time to live,” are
assigned a zero value before IPSec calculates the authentication
value, so the actual value of the mutable fields are not authenticated.
In IPv6 AH transport mode, IPSec inserts the AH after the following
headers and extensions:
any destination options needed
to interpret the AH header
The items listed below follow the AH:
any destination
options needed only for the “final” destination
and not needed to interpret the AH header
the IP data or payload (e.g.,
TCP or UDP packet)
The entire packet is used to calculate the authentication
value. Mutable and unpredictable fields and options, such as timestamp
and traceroute options, are assigned a zero value before calculating
the authentication value.
In tunnel mode, IPSec
encloses, or encapsulates, the original IP datagram, including the
original IP header, within a second IP datagram. All of the original
IP datagram, including all fields of the original header, is authenticated.
In IPv6 AH tunnel mode, the packet layout is the same as IPv4
AH tunnel mode, except that the original and new (outer) IP headers
may include header extensions.
Printable version
