Authentication Header (AH) is a protocol and part of the Internet Protocol Security (IPsec) protocol suite, which authenticates the origin of IP packets (datagrams) and guarantees the integrity of the data. The AH confirms the originating source of a packet and ensures that its contents (both the header and payload) have not been changed since transmission.
If security associations have been established, AH can be optionally configured to defend against replay attacks using the sliding window technique.
AH provides authentication of the IP header and next-level protocol data. This can be applied in a nested fashion, or in conjunction with the IP encapsulating security payload (ESP). Security services are intiated between two communicating hosts, between two communicating security gateways or between a security gateway and a host.
AH provides data integrity using a checksum generated by an authentication code, similar to MD5. There is a secret shared key in the AH algorithm for data origin authentication. Using a sequence number field inside the AH header, relay protection is ensured.
AH can be used in tunnel or transport mode. In transport mode, the IP header of a datagram is the outermost IP header, followed by the AH header and the datagram. This mode requires a reduced processing overhead compared to tunnel mode, which creates new IP headers and uses them in the outermost IP header of the datagram.
The fields within an AH header include:
- Next header
- Payload length
- Security parameters
- Sequence numbers
- Integrity check value