[Next header code] [header length] [reserved]
[ security parameters index ]
[ sequence number ]
[ authentication data (message digest) ]
Next header code:
Code for what follows this header. Every EH has a code type.
Header length:
Reserved:
self explanatory
Sequence number:
Each AH gets a new sequence number. This prevents replay attacks (where a package is captured and resent)
SPI (security parameters index)
This is a pointer to the hash algorithm being used, from a list of negotiated hash algorithms. Makes it harder to crack if the hash algorithm is unpredictable.
Authentication Data (message digest):
guarantees integrity and authentication of the packet. It is computed by the sender and verified by the receiver.
(Payload) + (Secret Key, known to receiver) => (Hash) => [Message Digest]
AH Modes:
Transport mode:
- (Original datagram)
[Original IP Header] [Payload]
- After AH Transport is applied:
[Original IP Header] [Authentication header] [Payload]
< ------------------------------ a (authenticated ------------------->
Tunnel mode:
- Original Datagram
[Original IP Header] [Payload]
-After AH Tunnel is applied:
[New IP Header] [AH] [Original IP header] [Payload]
<------------------------------- a -------------------------------------->
New IP Header: Source and Destination addresses will = tunnel start and endpoints.
Index