Skip to main content
IBM 
ShopSupportDownloads
IBM HomeProductsConsultingIndustriesNewsAbout IBM
IBM : developerWorks : Security : Education - online courses
Virtual private networks, Part 1		Download tutorial zip fileView letter-sized PDF fileView A4-sized PDF fileE-mail this tutorial to a friend
Main menuSection menuGive feedback on this tutorialNext
5. IPSec: AH protocol structure
  


Overview page 1 of 9


AH only works on non-fragmented packets. If the offset field is not zero, or the More Fragments bit is set, the packet will be discarded and never reach the upper levels. This prevents an attack that tries to force bogus packets through a firewall by masquerading as fragments, and the discarding of the packet helps prevent a denial of service attack.

As the IPSec RFC 2401 says:

"AH also offers an anti-replay (partial sequence integrity) service at the discretion of the receiver, to help counter denial of service attacks. AH is an appropriate protocol to employ when confidentiality is not required. AH also provides authentication for selected portions of the IP header, which may be necessary in some contexts. For example, if the integrity of an IPv4 option or IPv6 extension header must be protected en route between sender and receiver, AH can provide this service (except for the non-predictable but mutable parts of the IP header)."


Main menuSection menuGive feedback on this tutorialNext
PrivacyLegalContact