RFC 2402 (rfc2402) - Page 2 of 22

IP Authentication Header

Alternative Format: Original Text Document
< Previous
Next >
RFC 2402                IP Authentication Header           November 1998


              3.3.3.2.2  Implicit Packet Padding......................12
        3.3.4  Fragmentation..........................................12
     3.4  Inbound Packet Processing...................................13
        3.4.1  Reassembly.............................................13
        3.4.2  Security Association Lookup............................13
        3.4.3  Sequence Number Verification...........................13
        3.4.4  Integrity Check Value Verification.....................15
  4. Auditing.........................................................15
  5. Conformance Requirements.........................................16
  6. Security Considerations..........................................16
  7. Differences from RFC 1826........................................16
  Acknowledgements....................................................17
  Appendix A -- Mutability of IP Options/Extension Headers............18
     A1. IPv4 Options.................................................18
     A2. IPv6 Extension Headers.......................................19
  References..........................................................20
  Disclaimer..........................................................21
  Author Information..................................................22
  Full Copyright Statement............................................22

1.  Introduction

   The IP Authentication Header (AH) is used to provide connectionless
   integrity and data origin authentication for IP datagrams (hereafter
   referred to as just "authentication"), and to provide protection
   against replays.  This latter, optional service may be selected, by
   the receiver, when a Security Association is established. (Although
   the default calls for the sender to increment the Sequence Number
   used for anti-replay, the service is effective only if the receiver
   checks the Sequence Number.)  AH provides authentication for as much
   of the IP header as possible, as well as for upper level protocol
   data.  However, some IP header fields may change in transit and the
   value of these fields, when the packet arrives at the receiver, may
   not be predictable by the sender.  The values of such fields cannot
   be protected by AH.  Thus the protection provided to the IP header by
   AH is somewhat piecemeal.

   AH may be applied alone, in combination with the IP Encapsulating
   Security Payload (ESP) [KA97b], or in a nested fashion through the
   use of tunnel mode (see "Security Architecture for the Internet
   Protocol" [KA97a], hereafter referred to as the Security Architecture
   document).  Security services can be provided between a pair of
   communicating hosts, between a pair of communicating security
   gateways, or between a security gateway and a host.  ESP may be used
   to provide the same security services, and it also provides a
   confidentiality (encryption) service.  The primary difference between
   the authentication provided by ESP and AH is the extent of the
   coverage.  Specifically, ESP does not protect any IP header fields



Kent & Atkinson             Standards Track
< Previous
Next >