IPSec Question about ESP & AH

TurkTurk Member Posts: 9 ■□□□□□□□□□
In the technotes here it states
[SIZE=-1]IPSec can employ two protocols main protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP), which can be used separately or in conjunction. [/SIZE]
Then it goes on to say...
[SIZE=-1]AH provides integrity and data origin authentication of IP packets[/SIZE]
and
[SIZE=-1]ESP performs the same authentication and integrity operations as AH, but in addition provides confidentiality.[/SIZE]
That doesn't make any sense to me. If ESP can do everything AH can do then why would you use them in conjunction?

Which leads me to be even more confused when I see this.
[SIZE=-1]The two protocols and two modes allow for the following four main configurations:[/SIZE]
[SIZE=-1]- AH in Transport Mode – Provides integrity and data origin authentication for only the payload of an IP packet.
[/SIZE][SIZE=-1]- AH in Tunnel Mode – Provides integrity and data origin authentication for the entire IP packet including the header.
[/SIZE][SIZE=-1] - ESP in Transport Mode – Provides confidentiality for only the payload of an IP packet.
[/SIZE][SIZE=-1] - ESP in Tunnel Mode – Provides confidentiality for the entire IP packet including the header.[/SIZE]
In the available configurations there is not one where both AH and ESP are being used in conjunction. Does that mean the first quote is an error and that you can ONLY use one or the other but not both at the same time?

If someone could explain this better to me I'd appreciate it, thanks.

Comments

  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    AH includes the packet headers while ESP only works with the payload.

    You can use them in conjunction. I think that lost quote just omits that because its kind of redundant since you would just have the features of both combined.
  • TurkTurk Member Posts: 9 ■□□□□□□□□□
    dynamik wrote: »
    AH includes the packet headers while ESP only works with the payload.

    You can use them in conjunction. I think that lost quote just omits that because its kind of redundant since you would just have the features of both combined.

    Does ESP in Tunneling mode not include the header as well? It is the last mode on there.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    I believe in tunneling mode, the entire packet is encapsulated in another packet, so while that would the entire original packet, it would still only be the payload of the packet in transit.
  • TravR1TravR1 Member Posts: 332
    Here is a visual for you I found on youtube.

    YouTube - Understanding IPSEC
    Austin Community College, certificate of completion: C++ Programming.
    Sophomore - Computer Science, Mathematics
  • Jim HamiltonJim Hamilton Member Posts: 4 ■□□□□□□□□□
    ok, now i am confused too. I looked at the utube thing, and it is informative, but doesnt touch on ESP vs AH modes. But i agree with above, ESP in tunnel mode encapsulates the ip packet, and then another ip header encapsulates that. So, it seems that at least in tunnel mode, using AH in conjunction with ESP would be redundant. I looked up IPsec on wiki, i know, not a great source, and it helped a bit, and added more confusion still. So i wonder, if you use AH and ESP, does that add a layer of encapsulation? an extra header?
    argh
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,426 Mod
    ... So, it seems that at least in tunnel mode, using AH in conjunction with ESP would be redundant. I looked up IPsec on wiki, i know, not a great source, and it helped a bit, and added more confusion still. So i wonder, if you use AH and ESP, does that add a layer of encapsulation? an extra header?
    argh



    "The main difference between the authentication provided by ESP and AH is the extent of the coverage. Specifically, ESP doesn't protect any IP header fields unless those fields are encapsulated by ESP (tunnel mode)."

    Source:
    http://www.ciscopress.com/articles/article.asp?p=25477
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Check out my YouTube Channel!

  • TurkTurk Member Posts: 9 ■□□□□□□□□□
    UnixGuy wrote: »
    "The main difference between the authentication provided by ESP and AH is the extent of the coverage. Specifically, ESP doesn't protect any IP header fields unless those fields are encapsulated by ESP (tunnel mode)."

    Source:
    http://www.ciscopress.com/articles/article.asp?p=25477


    So me and Jim's thoughts are correct? You don't combine them, it is either or?
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,426 Mod
    Turk wrote: »
    So me and Jim's thoughts are correct? You don't combine them, it is either or?

    no what I came to understand it, you do combine them, and the AH in tunnel mode is just for authenticating the new result IP Header.
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Check out my YouTube Channel!

  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    UnixGuy wrote: »
    no what I came to understand it, you do combine them, and the AH in tunnel mode is just for authenticating the new result IP Header.

    That's my understanding as well.
  • Jim HamiltonJim Hamilton Member Posts: 4 ■□□□□□□□□□
    ok, this should help, i found this link in the new Sybex book(arrived today), oddly couldnt find even a mention of IPsec in 750 pages of Applied Cryptography(otherwise a great ref.)

    An Illustrated Guide to IPsec

    this is the first of 2 papers, havent read the 2nd, but, in answer to the original question, AH and ESP can be combined, but its uncommon according to this paper.

    Interesting point made in this article: AH is completely incompatible with NAT/PAT, regardless of whether in transport or tunnel mode.
  • Met44Met44 Member Posts: 194
    If you had a legitimate reason to authenticate the outer IP header which justifies the additional overhead, then you would want to tack on AH. However, I can't think up a good scenario for that. I don't think you will see it in practice (unless someone either has a legitimate case or does not know the technology), but it's still good info to know.
Sign In or Register to comment.