Authentication Header vs. IKE

In this Ask the Expert Q&A, Joel Dubin discusses how and when the Authentication Header encryption protocol is used.

Joel Dubin

Do we still need an Authentication Header if the Internet Key Exchange negotiates IPSec protections and the related secret key, binding participants' addresses to the keys, effectively authenticating these critical IP header fields?

There are two different things going on here. One is a key exchange and the other a data encryption protocol. IPSec consists of both a way to securely exchange cryptographic keys and then to transmit data securely over the Internet. The Internet Key Exchange (IKE) is the protocol for the key exchange and Authentication Header (AH) is one of the two encryption protocols.

IKE is used to set up the IPSec conversation and exchange the keys needed for encrypting the data through its secure tunnel. AH and Encapsulating Security Payload (ESP) are the two ways the data is encrypted after the keys are exchanged. Once IKE exchanges the keys, one of the two encryption protocols -- AH or ESP -- must be used. AH just authenticates the TCP packet without encrypting it, while ESP is stronger in that it both authenticates and encrypts the packet. So, AH may still be needed if it's the encryption protocol of choice over ESP in the IPSec set up. Is it still used? Not as much as ESP. There has been talk from time to time of deprecating AH, but it still hasn't been officially removed from any RFP about IPSec.

Though less secure than ESP, AH requires less processor power and is obviously less of a strain on the network. But, besides being less secure, it also can't be used for connecting outside a network using NAT. Despite these weaknesses, if the security risk is low behind a NATed firewall or router, and efficiency is paramount, AH can still be used in an internal network.

More information

Visit our resource center and learn more about authentication systems and protocols.

Learn how to secure public key transport to transmit data security over the Internet.

This was last published in November 2005

Authentication Header vs. IKE

In this Ask the Expert Q&A, Joel Dubin discusses how and when the Authentication Header encryption protocol is used.

Dig Deeper on Email and Messaging Threats-Information Security Threats

IPsec (Internet Protocol Security)

Protect your business by encrypting the network

Implementing IPsec to protect your VPN data

How to set up a site-to-site VPN to coexist with a DMZ

Related Q&A from Joel Dubin

How to use a public key and private key in digital signatures

What's the purpose of CAPTCHA technology and how does it work?

Single sign-on best practices: How can enterprises get SSO right?

Start the conversation

0 comments

Please create a username to comment.

SearchCloudSecurity

How to build a cloud security operations center

How to prepare for a zero-trust model in the cloud

How enterprise cloud VPN protects complex IT environments

SearchNetworking

The power and plights of female network engineers

Bye-bye ISR, hello Catalyst 8000 for Cisco SD-WAN

Juniper's 128 acquisition needed to improve SD-WAN

SearchCIO

An introduction to intelligent document processing for CIOs

Why CIOs need to establish an automation CoE

Is your company's IT governance strategy cloud ready?

SearchEnterpriseDesktop

A complete guide to troubleshooting Windows Hello

Comparing Jamf vs. Fleetsmith for macOS management

Mac users key in defending against Apple T2 chip flaw

SearchCloudComputing

Microsoft's SpaceX partnership sends Azure to the final frontier

How to design and implement a cloud governance framework

AWS Outposts: What you need to know to get started

ComputerWeekly.com

Digital public services fail UK citizens on multiple fronts

Tech Talent Charter launches Doing It Anyway role model campaign

Deutsche Bank in talks over sale of IT unit to TCS