Authentication Header vs. IKE

In this Ask the Expert Q&A, Joel Dubin discusses how and when the Authentication Header encryption protocol is used.

Joel Dubin

Do we still need an Authentication Header if the Internet Key Exchange negotiates IPSec protections and the related secret key, binding participants' addresses to the keys, effectively authenticating these critical IP header fields?

There are two different things going on here. One is a key exchange and the other a data encryption protocol. IPSec consists of both a way to securely exchange cryptographic keys and then to transmit data securely over the Internet. The Internet Key Exchange (IKE) is the protocol for the key exchange and Authentication Header (AH) is one of the two encryption protocols.

IKE is used to set up the IPSec conversation and exchange the keys needed for encrypting the data through its secure tunnel. AH and Encapsulating Security Payload (ESP) are the two ways the data is encrypted after the keys are exchanged. Once IKE exchanges the keys, one of the two encryption protocols -- AH or ESP -- must be used. AH just authenticates the TCP packet without encrypting it, while ESP is stronger in that it both authenticates and encrypts the packet. So, AH may still be needed if it's the encryption protocol of choice over ESP in the IPSec set up. Is it still used? Not as much as ESP. There has been talk from time to time of deprecating AH, but it still hasn't been officially removed from any RFP about IPSec.

Though less secure than ESP, AH requires less processor power and is obviously less of a strain on the network. But, besides being less secure, it also can't be used for connecting outside a network using NAT. Despite these weaknesses, if the security risk is low behind a NATed firewall or router, and efficiency is paramount, AH can still be used in an internal network.

More information

Visit our resource center and learn more about authentication systems and protocols.

Learn how to secure public key transport to transmit data security over the Internet.

This was last published in November 2005

Dig Deeper on Email and Messaging Threats-Information Security Threats

IPsec (Internet Protocol Security) IPsec, also known as the Internet Protocol Security or IP Security protocol, defines the architecture for security services for IP network traffic.

How can I ensure the corporate VPN works with our firewall? Understanding how a virtual private network (VPN) works with a firewall will allow you to get full connectivity through the correct network ports.

How to set up a site-to-site VPN to coexist with a DMZ When setting up a site-to-site VPN, where should the VPN endpoint be in the DMZ? Learn more in this expert response.

VPN types: Protocols and network topologies of IPsec VPNs IPsec VPNs use a number of different security protocols. Learn these VPN types, their network topologies, and the services they provide.

How to implement VPNs using Cisco products and EzVPN IPsec This article provides IPsec protocol background and details for those implementing IPsec VPN gateways using Cisco routers. Learn about Internet Security Association and Key Management Protocol (ISAKMP) and Internet Key Exchange (IKE) in preparation for VPN configuration.

VPN gateway router configuration using transform sets Implementing IPsec VPN gateways on Cisco routers involves a number of different configuration elements. In addition to the ISAKMP and IKE configuration, transform set definitions are part of configuring gateways that will support Cisco software VPN client connections.

Related Q&A from Joel Dubin

What's the purpose of CAPTCHA technology and how does it work?

Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums ... Continue Reading

Single sign-on best practices: How can enterprises get SSO right?

Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good ... Continue Reading

Options for a mechanical door security system on a server room door

After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ... Continue Reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Information Security experts

View all Information Security questions and answers

SearchCloudSecurity

How to implement zero-trust cloud security

The nature of cloud environments and workloads is changing. Security team approaches must evolve in response. Learn how to ...

AWS Access Analyzer aims to limit S3 bucket exposures

Amazon Web Services introduced the Access Analyzer tool at its re:Invent event. The new option aims to help users avoid ...

How to evaluate CASB tools for multi-cloud deployments

When it comes to evaluating CASB tools, it's essential to be an informed customer. Identify your organization's usage and ...

SearchNetworking

Consider these 5 FAQs for network monitoring best practices

New technologies are transforming how organizations plan network management and monitoring, introducing questions about legacy ...

Cisco's Silicon One networking chip targets cloud data centers

Cisco's Silicon One chip launch demonstrates a willingness to embrace white box routers in the hyperscale data centers of cloud ...

7 factors to consider in network redundancy design

Network pros have multiple factors to consider when it comes to adding redundancy in network design, including network equipment,...

SearchCIO

Transforming operations for successful cloud adoption

Still considering making the move to the cloud? Here are best practices and cloud-centric processes CIOs should follow to enable ...

IT workforce skews younger, says analysis of US data

The IT workforce is getting younger, according to government IT workforce data. The reasons for this are subject to a debate that...

Top edge computing trends to watch in 2020

Edge computing is still an evolving technology domain and enterprises should expect continued evolution in the year ahead. Here ...

SearchEnterpriseDesktop

How to shut down and restart a remote computer

Shutting down or restarting a computer remotely is often a necessary process. Explore the multiple ways to do so, using methods ...

Setting up Windows 10 kiosk mode with 4 different methods

For desktop admins, setting up Windows 10 kiosk mode can be a confusing process. IT should learn these four methods and choose ...

Microsoft extends Office 365 benefit to nonprofit volunteers

Thursday's announcement extends the company's September offering of 10 free Microsoft 365 Business licenses for nonprofits' ...

SearchCloudComputing

Evaluate general and niche cloud service use cases

Can't decide between a niche cloud provider or a hyperscaler? Review some real-world examples to help weigh the options and find ...

Compare niche cloud services to the hyperscale offerings

Consider your enterprise's specific needs when choosing between niche clouds and hyperscale clouds. Here's an overview of what ...

Get started with Azure tags

The more Azure resources an organization consumes, the harder it becomes to track those resources. Proper tagging can help manage...

ComputerWeekly.com

Women in tech still feel there’s a ‘glass ceiling’ in the sector

The number of women in the tech sector who think there is a “glass ceiling” has risen over the past year, according to research

How software can support public involvement with democracy

Iceland, Scotland and Sweden have experimented with using online software to involve citizens more deeply in democratic processes...

Cisco unveils plans for internet for the future

Online technology giant Cisco introduces platform for the internet of the future based on $5bn of investment in areas covering ...

Authentication Header vs. IKE

In this Ask the Expert Q&A, Joel Dubin discusses how and when the Authentication Header encryption protocol is used.

Dig Deeper on Email and Messaging Threats-Information Security Threats

Related Q&A from Joel Dubin

What's the purpose of CAPTCHA technology and how does it work?

Single sign-on best practices: How can enterprises get SSO right?

Options for a mechanical door security system on a server room door

Have a question for an expert?

Start the conversation

0 comments

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

How to implement zero-trust cloud security

AWS Access Analyzer aims to limit S3 bucket exposures

How to evaluate CASB tools for multi-cloud deployments

SearchNetworking

Consider these 5 FAQs for network monitoring best practices

Cisco's Silicon One networking chip targets cloud data centers

7 factors to consider in network redundancy design

SearchCIO

Transforming operations for successful cloud adoption

IT workforce skews younger, says analysis of US data

Top edge computing trends to watch in 2020

SearchEnterpriseDesktop

How to shut down and restart a remote computer

Setting up Windows 10 kiosk mode with 4 different methods

Microsoft extends Office 365 benefit to nonprofit volunteers

SearchCloudComputing

Evaluate general and niche cloud service use cases

Compare niche cloud services to the hyperscale offerings

Get started with Azure tags

ComputerWeekly.com

Women in tech still feel there’s a ‘glass ceiling’ in the sector

How software can support public involvement with democracy

Cisco unveils plans for internet for the future

Dig Deeper on Email and Messaging Threats-Information Security Threats

Related Q&A from Joel Dubin

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.