Course: CS125
Name: Daniel Meredith
Abstract Due Date: 02/16/00
Submit Date: 02/16/00
Journal Ref: RFC2402


In continuing with the theme of my abstracts this semester, I read another Request for Comment from my IETF working group. I have been following the IPsec working group this term and reading one of their RFC per week. In last week's abstract I outlined and commented on ESP,the first of the the two main protocols that will make IPsec secure. This week I will examine the second protocol, Authentication Header, or simply AH.

Authentication Header is a method of providing connectionless integrity and data origin authentication for IP datagrams. It also can implement protection against replay packets, if selected in the Security Association negotiations between the two host or security gateways. One item that is noted up front in the RFC is that AH cannot protect all headers on a packet due to the fact that they may be altered by switches and routers in transit. Thus the protection provided to the IP header by AH is somewhat menial.

The header field of AH are very similar to those of ESP. Most notably the inclusion of both the Security Parameters Index (SPI) and the Sequence Number for both AH and ESP provide a method of redundant checking on both the validity of the Security Association for the session and the ordering of the packets. The AH header also includes a large space for the Integrity Check Value (ICV), which is basically and very complicated check-sum. This field is one of the many areas that must be padded to meet a 32-bit or 64-bit multiple.

Like ESP, AH must be run in either transport mode or in tunnel mode. Tunnel mode is similar to the idea of IP tunneling, or running IP packets inside of IP packets. This mode is more secure due to the ability of ESP to encrypt the entire packet and then send it inside another packet. Unlike most of the IPsec headers, AH must be placed in the proper order in a packet, and if it is used in a Security Association all other IPsec headers must be placed in a certain order, with AH being the first.

One of the largest limitations of AH is its inability to handle fragmented packets. If a host or gateway receives a packet from a Security Association that is using AH and the packet is fragmented, the packet must be dropped. This could be a real issue on packets that move from networks with large maximum packet sizes to those with smaller maximum packet sizes. The use of AH in this type of transfer would make the entire transmission null and void. Therefore the system must implement some method in the determination of the Security Association to conclude whether or not the current transmission path will cause fragmentation of the packets. If this is the case, then AH must not be used in the Security Association. ESP is able to handle fragmentation quite well and would therefore be a better choice in this situation.

Basically AH is a method of packing all of the Security Association, packet order, host origin and authentication data all into one header so that if the entire packet is then encrypted, the information for primary validation is available without decrypting the whole packet.