+ Reply to Thread
Results 1 to 12 of 12
  1. Junior Member
    Join Date
    Jan 2009
    Posts
    10
    #1

    Default IPSec Question about ESP & AH

    In the technotes here it states

    IPSec can employ two protocols main protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP), which can be used separately or in conjunction.
    Then it goes on to say...

    AH provides integrity and data origin authentication of IP packets
    and

    ESP performs the same authentication and integrity operations as AH, but in addition provides confidentiality.
    That doesn't make any sense to me. If ESP can do everything AH can do then why would you use them in conjunction?

    Which leads me to be even more confused when I see this.

    The two protocols and two modes allow for the following four main configurations:
    - AH in Transport Mode – Provides integrity and data origin authentication for only the payload of an IP packet.
    - AH in Tunnel Mode – Provides integrity and data origin authentication for the entire IP packet including the header.
    - ESP in Transport Mode – Provides confidentiality for only the payload of an IP packet.
    - ESP in Tunnel Mode – Provides confidentiality for the entire IP packet including the header.
    In the available configurations there is not one where both AH and ESP are being used in conjunction. Does that mean the first quote is an error and that you can ONLY use one or the other but not both at the same time?

    If someone could explain this better to me I'd appreciate it, thanks.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #2
    AH includes the packet headers while ESP only works with the payload.

    You can use them in conjunction. I think that lost quote just omits that because its kind of redundant since you would just have the features of both combined.
    Reply With Quote Quote  

  4. Junior Member
    Join Date
    Jan 2009
    Posts
    10
    #3
    Quote Originally Posted by dynamik View Post
    AH includes the packet headers while ESP only works with the payload.

    You can use them in conjunction. I think that lost quote just omits that because its kind of redundant since you would just have the features of both combined.
    Does ESP in Tunneling mode not include the header as well? It is the last mode on there.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #4
    I believe in tunneling mode, the entire packet is encapsulated in another packet, so while that would the entire original packet, it would still only be the payload of the packet in transit.
    Reply With Quote Quote  

  6. ITDufas TravR1's Avatar
    Join Date
    Jun 2008
    Location
    Austin, TX
    Posts
    331

    Certifications
    A+ Net+ Security+ Server+
    #5
    Here is a visual for you I found on youtube.

    YouTube - Understanding IPSEC
    Reply With Quote Quote  

  7. Junior Member
    Join Date
    Feb 2009
    Location
    Asheville, NC
    Posts
    4

    Certifications
    CCNA
    #6
    ok, now i am confused too. I looked at the utube thing, and it is informative, but doesnt touch on ESP vs AH modes. But i agree with above, ESP in tunnel mode encapsulates the ip packet, and then another ip header encapsulates that. So, it seems that at least in tunnel mode, using AH in conjunction with ESP would be redundant. I looked up IPsec on wiki, i know, not a great source, and it helped a bit, and added more confusion still. So i wonder, if you use AH and ESP, does that add a layer of encapsulation? an extra header?
    argh
    Reply With Quote Quote  

  8. Are we having fun yet? UnixGuy's Avatar
    Join Date
    Mar 2008
    Posts
    3,327

    Certifications
    GCFA, eJPT, RHCE, Solaris 10, SNIA SCSP, Security+, Server+, ITILv3, CCNA (Expired)
    #7
    Quote Originally Posted by Jim Hamilton View Post
    ... So, it seems that at least in tunnel mode, using AH in conjunction with ESP would be redundant. I looked up IPsec on wiki, i know, not a great source, and it helped a bit, and added more confusion still. So i wonder, if you use AH and ESP, does that add a layer of encapsulation? an extra header?
    argh


    "The main difference between the authentication provided by ESP and AH is the extent of the coverage. Specifically, ESP doesn't protect any IP header fields unless those fields are encapsulated by ESP (tunnel mode)."

    Source:
    http://www.ciscopress.com/articles/article.asp?p=25477
    Goal: GCFA (DONE), GPEN
    Reply With Quote Quote  

  9. Junior Member
    Join Date
    Jan 2009
    Posts
    10
    #8
    Quote Originally Posted by UnixGuy View Post
    "The main difference between the authentication provided by ESP and AH is the extent of the coverage. Specifically, ESP doesn't protect any IP header fields unless those fields are encapsulated by ESP (tunnel mode)."

    Source:
    http://www.ciscopress.com/articles/article.asp?p=25477

    So me and Jim's thoughts are correct? You don't combine them, it is either or?
    Reply With Quote Quote  

  10. Are we having fun yet? UnixGuy's Avatar
    Join Date
    Mar 2008
    Posts
    3,327

    Certifications
    GCFA, eJPT, RHCE, Solaris 10, SNIA SCSP, Security+, Server+, ITILv3, CCNA (Expired)
    #9
    Quote Originally Posted by Turk View Post
    So me and Jim's thoughts are correct? You don't combine them, it is either or?
    no what I came to understand it, you do combine them, and the AH in tunnel mode is just for authenticating the new result IP Header.
    Goal: GCFA (DONE), GPEN
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #10
    Quote Originally Posted by UnixGuy View Post
    no what I came to understand it, you do combine them, and the AH in tunnel mode is just for authenticating the new result IP Header.
    That's my understanding as well.
    Reply With Quote Quote  

  12. Junior Member
    Join Date
    Feb 2009
    Location
    Asheville, NC
    Posts
    4

    Certifications
    CCNA
    #11
    ok, this should help, i found this link in the new Sybex book(arrived today), oddly couldnt find even a mention of IPsec in 750 pages of Applied Cryptography(otherwise a great ref.)

    An Illustrated Guide to IPsec

    this is the first of 2 papers, havent read the 2nd, but, in answer to the original question, AH and ESP can be combined, but its uncommon according to this paper.

    Interesting point made in this article: AH is completely incompatible with NAT/PAT, regardless of whether in transport or tunnel mode.
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    May 2006
    Posts
    195
    #12
    If you had a legitimate reason to authenticate the outer IP header which justifies the additional overhead, then you would want to tack on AH. However, I can't think up a good scenario for that. I don't think you will see it in practice (unless someone either has a legitimate case or does not know the technology), but it's still good info to know.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks