IPSec Question about ESP & AH

In the technotes here it states

[SIZE=-1]IPSec can employ two protocols main protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP), which can be used separately or in conjunction. [/SIZE]

Then it goes on to say...

[SIZE=-1]AH provides integrity and data origin authentication of IP packets[/SIZE]

and

[SIZE=-1]ESP performs the same authentication and integrity operations as AH, but in addition provides confidentiality.[/SIZE]

That doesn't make any sense to me. If ESP can do everything AH can do then why would you use them in conjunction?

Which leads me to be even more confused when I see this.

[SIZE=-1]The two protocols and two modes allow for the following four main configurations:[/SIZE]
[SIZE=-1]- AH in Transport Mode – Provides integrity and data origin authentication for only the payload of an IP packet.
[/SIZE][SIZE=-1]- AH in Tunnel Mode – Provides integrity and data origin authentication for the entire IP packet including the header.
[/SIZE][SIZE=-1] - ESP in Transport Mode – Provides confidentiality for only the payload of an IP packet.
[/SIZE][SIZE=-1] - ESP in Tunnel Mode – Provides confidentiality for the entire IP packet including the header.[/SIZE]

In the available configurations there is not one where both AH and ESP are being used in conjunction. Does that mean the first quote is an error and that you can ONLY use one or the other but not both at the same time?

If someone could explain this better to me I'd appreciate it, thanks.

Find more posts tagged with

Comments

dynamik

AH includes the packet headers while ESP only works with the payload.

You can use them in conjunction. I think that lost quote just omits that because its kind of redundant since you would just have the features of both combined.

Turk

dynamik wrote: »

AH includes the packet headers while ESP only works with the payload.

You can use them in conjunction. I think that lost quote just omits that because its kind of redundant since you would just have the features of both combined.

Does ESP in Tunneling mode not include the header as well? It is the last mode on there.

dynamik

I believe in tunneling mode, the entire packet is encapsulated in another packet, so while that would the entire original packet, it would still only be the payload of the packet in transit.

TravR1

Here is a visual for you I found on youtube.

YouTube - Understanding IPSEC

Jim Hamilton

ok, now i am confused too. I looked at the utube thing, and it is informative, but doesnt touch on ESP vs AH modes. But i agree with above, ESP in tunnel mode encapsulates the ip packet, and then another ip header encapsulates that. So, it seems that at least in tunnel mode, using AH in conjunction with ESP would be redundant. I looked up IPsec on wiki, i know, not a great source, and it helped a bit, and added more confusion still. So i wonder, if you use AH and ESP, does that add a layer of encapsulation? an extra header?
argh

UnixGuy

Jim Hamilton wrote: »

... So, it seems that at least in tunnel mode, using AH in conjunction with ESP would be redundant. I looked up IPsec on wiki, i know, not a great source, and it helped a bit, and added more confusion still. So i wonder, if you use AH and ESP, does that add a layer of encapsulation? an extra header?
argh

"The main difference between the authentication provided by ESP and AH is the extent of the coverage. Specifically, ESP doesn't protect any IP header fields unless those fields are encapsulated by ESP (tunnel mode)."

Source:
http://www.ciscopress.com/articles/article.asp?p=25477

Turk

UnixGuy wrote: »

"The main difference between the authentication provided by ESP and AH is the extent of the coverage. Specifically, ESP doesn't protect any IP header fields unless those fields are encapsulated by ESP (tunnel mode)."

Source:
http://www.ciscopress.com/articles/article.asp?p=25477

So me and Jim's thoughts are correct? You don't combine them, it is either or?

UnixGuy

Turk wrote: »

So me and Jim's thoughts are correct? You don't combine them, it is either or?

no what I came to understand it, you do combine them, and the AH in tunnel mode is just for authenticating the new result IP Header.

dynamik

UnixGuy wrote: »

no what I came to understand it, you do combine them, and the AH in tunnel mode is just for authenticating the new result IP Header.

That's my understanding as well.

Jim Hamilton

ok, this should help, i found this link in the new Sybex book(arrived today), oddly couldnt find even a mention of IPsec in 750 pages of Applied Cryptography(otherwise a great ref.)

An Illustrated Guide to IPsec

this is the first of 2 papers, havent read the 2nd, but, in answer to the original question, AH and ESP can be combined, but its uncommon according to this paper.

Interesting point made in this article: AH is completely incompatible with NAT/PAT, regardless of whether in transport or tunnel mode.

Met44

If you had a legitimate reason to authenticate the outer IP header which justifies the additional overhead, then you would want to tack on AH. However, I can't think up a good scenario for that. I don't think you will see it in practice (unless someone either has a legitimate case or does not know the technology), but it's still good info to know.