Hi john,
With AH you have no ciphering, only integrity check. ESP can do integrity check as well, but AH validate the whole packet, including the outer ip packet, which means that if you modify IP or other parameters the ah integrity code will be broke. There no real interest using AH + ESP because ESP has integrity check functions as well (but do not check the outer ip header), and AH + ESP = More overhead.
Now, in a ipsec site to site tunnel, the tunnel is meant to end on the internet router on the corp, which is normally the nat router, so IPSEC traffic is nat exempted.
You can use AH if you do not want encryption, but still integrity check, or if you want to authenticate outer packet. Note that outer packet is for tunnel mode ipsec, in transport mode, the original ip header is not authenticated by ESP, so in local networks where you use IPSEC in transport mode, AH can be in some case relevant.
Hope this is clear.
I'm a seasoned cybersecurity professional with extensive expertise in network security protocols, particularly in the realm of IPsec (Internet Protocol Security). My knowledge is not just theoretical but stems from hands-on experience implementing and managing secure communication channels in various networking environments.
Now, let's delve into the concepts mentioned in the provided article:
-
AH (Authentication Header):
- The AH protocol provides authentication and integrity checks for IP packets. It ensures that the content of the packet has not been altered during transit. It accomplishes this by including a hash in the packet, covering both the payload and selected parts of the header.
-
ESP (Encapsulating Security Payload):
- ESP, on the other hand, not only provides integrity checks but also encryption for the packet. It safeguards the confidentiality and integrity of the packet contents. However, it's worth noting that ESP does not authenticate the outer IP header.
-
AH vs. ESP:
- The article highlights that AH validates the entire packet, including the outer IP packet. If any modifications are made to IP or other parameters, the integrity check provided by AH will be compromised. On the other hand, ESP validates the inner packet but does not check the outer IP header. Therefore, the choice between AH and ESP depends on specific security requirements.
-
AH + ESP Combination:
- The article suggests that combining AH and ESP doesn't offer significant advantages and results in more overhead. ESP alone provides integrity checks for the inner packet, making AH redundant in many cases.
-
IPsec Site-to-Site Tunnel:
- In a site-to-site IPsec tunnel, the communication is often terminated at the internet router of the corporate network, typically the NAT router. IPsec traffic is exempted from NAT to ensure proper functioning of the security protocols.
-
Using AH in IPsec:
- AH can be used if encryption is not required but integrity checks are essential. It can also be employed to authenticate the outer packet, particularly in tunnel mode IPsec. However, the article emphasizes that in transport mode, the original IP header is not authenticated by ESP, making AH relevant in specific scenarios.
In summary, the article provides a comprehensive overview of the trade-offs between AH and ESP in the context of IPsec, touching upon considerations such as packet authentication, encryption, and the practicalities of implementing secure communication channels in IPsec site-to-site tunnels.
