Data Structure
Networking
RDBMS
Operating System
Java
MS Excel
iOS
HTML
CSS
Android
Python
C Programming
C++
C#
MongoDB
MySQL
Javascript
PHP
Physics
Chemistry
Biology
Mathematics
English
Economics
Psychology
Social Studies
Fashion Studies
Legal Studies
- Selected Reading
- UPSC IAS Exams Notes
- Developer's Best Practices
- Questions and Answers
- Effective Resume Writing
- HR Interview Questions
- Computer Glossary
- Who is Who
What is Authentication Header (AH) format?
Authentication Header (AH) is used to provide integrity and authentication to IP datagrams. Replay protection is also possible. The services are connectionless, that means they work on a per-packet basis.
AH is used in two modes as follows −
- Transport mode
- Tunnel mode
AH authenticates are the same as IP datagram. In transport mode, some fields in the IP header change en-route and their value cannot be predicted by the receiver. These fields are called mutable and they are not protected by AH.
Mutable IPv4 fields
The mutable IPv4 fields are as follows −
- Type of service (TOS)
- Flags
- Fragment offset
- Time to live (TTL)
- Header checksum
To protect these fields, tunnelling must be used. The payload of the IP packet is considered immutable and is always protected by AH.
AH processing is applied only to non-fragmented IP packets. Whereas an IP packet with AH applied can be fragmented by intermediate routers.
In this case, the destination first reassembles the packet and then applies AH processing to it.
If an IP packet that appears to be a fragment is input to AH processing, and it is discarded.
This prevents the overlapping fragment attack, which misuses the fragment reassembly algorithm to create forged packets and force them through a firewall.
Packets that fail authentication are discarded and never delivered to upper layers.
This mode of operation greatly reduces the chances of successful denial-of-service attacks.
AH format
The AH format is described in RFC 2402. The below shows the position of the Authentication Header fields in the IP packet.
The fields are as follows −
Next header
It is an 8-bit field which identifies the type of what follows. The value of this field is chosen from the set of IP header protocol fields, which is set to 51, and the value that would have gone in the protocol field goes in the AH next header field.
Payload length
It is an 8 bits long field and contains the length of the AH header expressed in 32-bit words, minus 2. It does not relate to the actual payload length of the IP packet. Suppose if default options are used, the value is 4 (three 32-bit fixed words plus three 32-bit words of authentication data minus two).
Reserved
It is reserved for future use. Its length is 16 bits and it is set to zero.
Security parameter index (SPI)
It is 32 bits in length.
Sequence number
This 32-bit field is a monotonically increasing counter, which is used for replay protection. It is an optional field. The sender always includes this field, and it is at the discretion of the receiver to process it or not. Starting the sequence number is initialized to zero. The first packet transmitted using the SA has a sequence number of 1. Sequence numbers are not allowed to repeat.
Authentication data
This is a variable-length field containing the Integrity Check Value (ICV), and is padded to 32 bits for IPv4 or 64 bits for IPv6.
11K+ Views
