NOTE: Using software to mass-download the site degrades the server and is prohibited.
If you want to read The TCP/IP Guide offline, please consider licensing it. Thank you.

The Book is Here... and Now On Sale!

Searchable, convenient, complete TCP/IP information.
The TCP/IP Guide

Google
Web TCP/IP Guide






Table Of Contents  The TCP/IP Guide
 9  TCP/IP Lower-Layer (Interface, Internet and Transport) Protocols (OSI Layers 2, 3 and 4)
      9  TCP/IP Internet Layer (OSI Network Layer) Protocols
           9  Internet Protocol (IP/IPv4, IPng/IPv6) and IP-Related Protocols (IP NAT, IPSec, Mobile IP)
                9  IP Security (IPSec) Protocols

Previous Topic/Section
IPSec Security Associations and the Security Association Database (SAD); Security Policies and the Security Policy Database (SPD); Selectors; the Security Parameter Index (SPI)
Previous Page
Pages in Current Topic/Section
123
4
Next Page
 IPSec Encapsulating Security Payload (ESP)
Next Topic/Section

IPSec Authentication Header (AH)
(Page 4 of 4)

Authentication Header Format

The format of the Authentication Header itself is described in Table 79 and shown in Figure 123.


Table 79: IPSec Authentication Header (AH) Format

Field Name

Size (bytes)

Description

Next Header

1

Next Header: Contains the protocol number of the next header after the AH. Used to link headers together.

Payload Len

1

Payload Length: Despite its name, this field measures the length of the authentication header itself, not the payload. (I wonder what the history is behind that!) It is measured in 32 bit units, with 2 subtracted for consistency with how header lengths are normally calculated in IPv6.

Reserved

2

Reserved: Not used; set to zeroes.

SPI

4

Security Parameter Index (SPI): A 32-bit value that when combined with the destination address and security protocol type (which here is obviously the one for AH) identifies the security association to be used for this datagram. See the topic on security associations for more details.

Sequence Number

4

Sequence Number: This is a counter field that is initialized to zero when a security association is formed between two devices, and then incremented for each datagram sent using that SA. This uniquely identifies each datagram on an SA and is used to provide protection against replay attacks by preventing the retransmission of captured datagrams.

Authentication Data

Variable

Authentication Data: This field contains the result of the hashing algorithm performed by the AH protocol, the Integrity Check Value (ICV).


Figure 123: IPSec Authentication Header (AH) Format

 

The size of the Authentication Data field is variable to support different datagram lengths and hashing algorithms. Its total length must be a multiple of 32 bits. Also, the entire header must be a multiple of either 32 bits (for IPv4) or 64 bits (for IPv6), so additional padding may be added to the Authentication Data field if necessary.

You may also notice that no IP addresses appear in the header, which is a prerequisite for it being the same for both IPv4 and IPv6.


Previous Topic/Section
IPSec Security Associations and the Security Association Database (SAD); Security Policies and the Security Policy Database (SPD); Selectors; the Security Parameter Index (SPI)
Previous Page
Pages in Current Topic/Section
123
4
Next Page
 IPSec Encapsulating Security Payload (ESP)
Next Topic/Section

If you find The TCP/IP Guide useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider purchasing a download license of The TCP/IP Guide. Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $


Home - Table Of Contents - Contact Us

The TCP/IP Guide (http://www.TCPIPGuide.com)
Version 3.0 - Version Date: September 20, 2005

© Copyright 2001-2005 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.