The Ah Protocol; The Esp Protocol - D-Link NetDefend DFL-210 User Manual

9.2.1. IPsec Basics
There are two protocols associated with IPsec, AH and ESP. These are covered in the sections be-
low.
AH (Authentication Header)
AH is a protocol used for authenticating a data stream. It uses a cryptographic hash function to pro-
duce a MAC from the data in the IP packet. This MAC is then transmitted with the packet, allowing
the remote gateway to verify the integrity of the original IP packet, making sure the data has not
been tampered with on its way through the Internet.
Figure 9.1. The AH protocol
Apart from the IP packet data, AH also authenticates parts of the IP header.
The AH protocol inserts an AH header after the original IP header, and in tunnel mode, the AH
header is inserted after the outer header, but before the original, inner, IP header.
ESP (Encapsulating Security Payload)
The ESP protocol inserts an ESP header after the original IP header, in tunnel mode, the ESP header
is inserted after the outer header, but before the original, inner, IP header.
All data after the ESP header is encrypted and/or authenticated. The difference from AH is that ESP
also provides encryption of the IP packet. The authentication phase also differs in that ESP only au-
thenticates the data after the ESP header; thus the outer IP header is left unprotected.
The ESP protocol is used for both encryption and authentication of the IP packet. It can also be used
to do either encryption only, or authentication only.
Figure 9.2. The ESP protocol
Chapter 9. Virtual Private Networks
190