47
Web User Interface
The
ESP
and
AH
protocols are necessary to create a Security Association (SA), the
foundation of an IPSec VPN. An SA is built from the authentication provided by the
AH
and
ESP
protocols. The primary function of key management is to establish and maintain the SA
between systems. Once the SA is established, the transport of data may commence.
AH (Authentication Header) Protocol
AH
protocol (RFC 2402) was designed for integrity, authentication, sequence integrity
(replay resistance), and non-repudiation but not for confidentiality, for which the
ESP
was
designed.
In applications where confidentiality is not required or not sanctioned by government
encryption restrictions, an
AH
can be employed to ensure integrity. This type of
implementation does not protect the information from dissemination but will allow for
verification of the integrity of the information and authentication of the originator.
ESP (Encapsulating Security Payload) Protocol
The
ESP
protocol (RFC 2406) provides encryption as well as the services offered by
AH
.
ESP
authenticating properties are limited compared to the
AH
due to the non-inclusion of the
IP header information during the authentication process. However,
ESP
is sufficient if only
the upper layer protocols need to be authenticated. An added feature of the
ESP
is payload
padding, which further protects communications by concealing the size of the packet being
transmitted.
U10C019/U10C020