IPSec Question about ESP & AH
In the technotes here it states
Which leads me to be even more confused when I see this.
If someone could explain this better to me I'd appreciate it, thanks.
Then it goes on to say...[SIZE=-1]IPSec can employ two protocols main protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP), which can be used separately or in conjunction. [/SIZE]
and[SIZE=-1]AH provides integrity and data origin authentication of IP packets[/SIZE]
That doesn't make any sense to me. If ESP can do everything AH can do then why would you use them in conjunction?[SIZE=-1]ESP performs the same authentication and integrity operations as AH, but in addition provides confidentiality.[/SIZE]
Which leads me to be even more confused when I see this.
In the available configurations there is not one where both AH and ESP are being used in conjunction. Does that mean the first quote is an error and that you can ONLY use one or the other but not both at the same time?[SIZE=-1]The two protocols and two modes allow for the following four main configurations:[/SIZE]
[SIZE=-1]- AH in Transport Mode – Provides integrity and data origin authentication for only the payload of an IP packet.
[/SIZE][SIZE=-1]- AH in Tunnel Mode – Provides integrity and data origin authentication for the entire IP packet including the header.
[/SIZE][SIZE=-1] - ESP in Transport Mode – Provides confidentiality for only the payload of an IP packet.
[/SIZE][SIZE=-1] - ESP in Tunnel Mode – Provides confidentiality for the entire IP packet including the header.[/SIZE]
If someone could explain this better to me I'd appreciate it, thanks.
Comments
-
dynamik Banned Posts: 12,312 ■■■■■■■■■□AH includes the packet headers while ESP only works with the payload.
You can use them in conjunction. I think that lost quote just omits that because its kind of redundant since you would just have the features of both combined. -
Turk Member Posts: 9 ■□□□□□□□□□AH includes the packet headers while ESP only works with the payload.
You can use them in conjunction. I think that lost quote just omits that because its kind of redundant since you would just have the features of both combined.
Does ESP in Tunneling mode not include the header as well? It is the last mode on there. -
dynamik Banned Posts: 12,312 ■■■■■■■■■□I believe in tunneling mode, the entire packet is encapsulated in another packet, so while that would the entire original packet, it would still only be the payload of the packet in transit.
-
TravR1 Member Posts: 332Austin Community College, certificate of completion: C++ Programming.
Sophomore - Computer Science, Mathematics -
Jim Hamilton Member Posts: 4 ■□□□□□□□□□ok, now i am confused too. I looked at the utube thing, and it is informative, but doesnt touch on ESP vs AH modes. But i agree with above, ESP in tunnel mode encapsulates the ip packet, and then another ip header encapsulates that. So, it seems that at least in tunnel mode, using AH in conjunction with ESP would be redundant. I looked up IPsec on wiki, i know, not a great source, and it helped a bit, and added more confusion still. So i wonder, if you use AH and ESP, does that add a layer of encapsulation? an extra header?
argh -
UnixGuy Mod Posts: 4,570 ModJim Hamilton wrote: »... So, it seems that at least in tunnel mode, using AH in conjunction with ESP would be redundant. I looked up IPsec on wiki, i know, not a great source, and it helped a bit, and added more confusion still. So i wonder, if you use AH and ESP, does that add a layer of encapsulation? an extra header?
argh
"The main difference between the authentication provided by ESP and AH is the extent of the coverage. Specifically, ESP doesn't protect any IP header fields unless those fields are encapsulated by ESP (tunnel mode)."
Source:
http://www.ciscopress.com/articles/article.asp?p=25477 -
Turk Member Posts: 9 ■□□□□□□□□□"The main difference between the authentication provided by ESP and AH is the extent of the coverage. Specifically, ESP doesn't protect any IP header fields unless those fields are encapsulated by ESP (tunnel mode)."
Source:
http://www.ciscopress.com/articles/article.asp?p=25477
So me and Jim's thoughts are correct? You don't combine them, it is either or? -
UnixGuy Mod Posts: 4,570 ModSo me and Jim's thoughts are correct? You don't combine them, it is either or?
no what I came to understand it, you do combine them, and the AH in tunnel mode is just for authenticating the new result IP Header. -
dynamik Banned Posts: 12,312 ■■■■■■■■■□no what I came to understand it, you do combine them, and the AH in tunnel mode is just for authenticating the new result IP Header.
That's my understanding as well. -
Jim Hamilton Member Posts: 4 ■□□□□□□□□□ok, this should help, i found this link in the new Sybex book(arrived today), oddly couldnt find even a mention of IPsec in 750 pages of Applied Cryptography(otherwise a great ref.)
An Illustrated Guide to IPsec
this is the first of 2 papers, havent read the 2nd, but, in answer to the original question, AH and ESP can be combined, but its uncommon according to this paper.
Interesting point made in this article: AH is completely incompatible with NAT/PAT, regardless of whether in transport or tunnel mode. -
Met44 Member Posts: 194If you had a legitimate reason to authenticate the outer IP header which justifies the additional overhead, then you would want to tack on AH. However, I can't think up a good scenario for that. I don't think you will see it in practice (unless someone either has a legitimate case or does not know the technology), but it's still good info to know.