topic Out of the box, yes.By in Network Access Control

Why would anyone use Authentication Header in a transform set ?

jimmyc_2 — Fri, 21 Feb 2020 18:29:21 GMT

I came across a configuration that uses an IPSEC transform-set of ah-sha-hmac esp-3des. This is a Cisco router, and it is running inside an MPLS tunnel. Since ESP does all of what AH does, are there any good reasons to use AH?

It depends on whether you

ghostinthenet — Fri, 18 Jul 2014 22:02:32 GMT

Let me edit this because I didn't fully read the context.

It's a bit odd to see, but not out of the question. ESP has largely supplanted AH because authentication/integrity and encryption can be handled in one protocol. AH is still valid in this scenario, but most just do everything with ESP now.

Interesting. But if you

jimmyc_2 — Fri, 18 Jul 2014 22:06:49 GMT

Interesting. But if you trust the MPLS tunnel for the encryption and total security, why bother with a second IPSec tunnel with AH? Why not just route the data nominally, and let MPLS do all the security. I don't see what you gain by doing AH ? Maybe you don't trust some devices on the "inside"???

Most cases I've seen for

ghostinthenet — Fri, 18 Jul 2014 22:13:34 GMT

Most cases I've seen for IPSec on MPLS are due to being prudent about trusting the service provider. Others want to deploy technologies like DMVPN over MPLS to maintain discreet internal routing between sites without having to get the service provider involved for changes in how traffic flows.

In the first case, it's usually GET VPN that is used to provide a blanket encryption policy over the entire MPLS VRF. In the second, encryption sometimes isn't used at all.

When it comes to running this sort of thing, the decision isn't usually made due to technical factors. It's more about policy.

Okay, final thought. There is

jimmyc_2 — Fri, 18 Jul 2014 22:22:06 GMT

Okay, final thought.

There is NO advantage to using AH, except that it uses fewer CPU cycles, and ONLY IF you don't want to encrypt the data.

True statement?

Out of the box, yes.By

ghostinthenet — Fri, 18 Jul 2014 22:36:57 GMT

That pretty much sums it up.

It's been argued in a few places on the Internet that there's no reason to even have AH anymore, though I've heard some contend that it has a better authentication mechanism than ESP. Personally, I haven't seen anything supporting this argument.