1), What does AH do?
====================================================================
The IP Authentication Header (AH) is used to provide connectionless
integrity and data origin authentication for IP datagrams (hereafter
referred to as just "authentication"), and to provide protection
against replays.
AH also protected IP header. But some IP header fields may change
in transit and the value of these fields, when the packet arrives
at the receiver, may not be predictable by the sender. The values
of such fields cannot be protected by AH.
2), AH Header Format
====================================================================
3), What does ESP do?
====================================================================
The IP Encapsulating Security Payload(ESP) is used to provide
confidentiality, data origin authentication, connectionless
integrity, an anti-replay service (a form of partial sequence
integrity), and limited traffic flow confidentiality.
4), ESP Header Format
====================================================================
5), The Difference of ESP and AH Authentication
====================================================================
The primary difference between the authentication provided by ESP
and AH is the extent of the coverage. Specifically, ESP does not
protect any IP header fields unless those fields are encapsulated
by ESP (tunnel mode).
6), ESP and AH packet diagram
====================================================================
1, IPsec tunnel mode with ESP header:
Note: ESP is identified in the New IP header with an IP protocol ID
of 50.
2, IPsec tunnel mode with AH header:
Note: The AH can be applied alone or together with the ESP, when IPSec
is in tunnel mode. AH’s job is to protect the entire packet. The AH
does not protect all of the fields in the New IP Header because some
change in transit, and the sender cannot predict how they might change.
The AH protects everything that does not change in transit. AH is
identified in the New IP header with an IP protocol ID of 51.
3, IPsec transport mode with ESP header:
Note: The Orig IP header at the front is the IP header from the
original IP packet. Placing the sender’s IP header at the front (with
minor changes to the protocol ID), proves that transport mode does
not provide protection or encryption to the original IP header and ESP
is identified in the Orig IP header with an IP protocol ID of 50.
4, IPsec transport mode with AH header:
Note: The AH can be applied alone or together with the ESP when IPSec
is in transport mode. AH’s job is to protect the entire packet,
however, IPSec in transport mode does not create a new IP header in
front of the packet but places a copy of the original with some minor
changes to the protocol ID therefore not providing essential protection
to the details contained in the IP header (Source IP, destination IP
etc). AH is identified in the Original IP header with an IP protocol ID of 51.
In both ESP and AH cases with IPSec Transport mode, the IP header is exposed.
References
====================================================================
[1], AH, RFC4302.
[2], ESP, RFC4303.
[3], NAT-T Requirement, RFC3715.
[4], Negotiation of NAT-Traversal in the IKE, RFC3947, RFC3948.
[5], Security Architecture for the Internet Protocol, RFC4301.
[6], IKEv2, RFC5996
[7], IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap, RFC6071
[8], Securing L2TP using IPsec, RFC3193
