IPsec : Why do you combine ESP & AH ?

Rens- · October 2012

Hi there,

AH ensures authentication & integrity. ESP ensures the same with encryption.

In this case, why do you mix ESP & AH if ESP does the same than AH ?

Thanks in advance,

spd3432 · October 2012

AH ensures authentication & integrity.

-- True

ESP ensures the same with encryption.

-- False

ESP can ensure the authentication and integrity but alone only encrypts the IP data packet ensuring confidentiality.

cyberguypr · October 2012

ESP provides confidentiality, which AH does not provide.

Rens- · October 2012

Hi spd3432 !

Thank you for your quick reply.

ESP can ensure the authentication and integrity but alone only encrypts the IP data packet ensuring confidentiality.

Ok but what can be the advantage to mix AH & ESP ? AH authentication & integrity "method" is better than ESP ?

QHalo · October 2012

cyberguypr gave you the answer more or less. AH doesn't have the ability to provide confidentiality. So when the packet is encapsulated, it looks like this.

([AH]{ESP header}|data|{ESP Trailer}{ESP Auth}) = Packet

There's more in there but that's the basic gist of it.

http://www.tcpipguide.com/free/t_IPSecAuthenticationHeaderAH.htm

This should help you.

IPsec : Why do you combine ESP & AH ?

Comments