cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1033
Views
10
Helpful
5
Replies

Why would anyone use Authentication Header in a transform set ?

jimmyc_2
Level 1
Level 1

I came across a configuration that uses an IPSEC transform-set of ah-sha-hmac esp-3des.  This is a Cisco router, and it is running inside an MPLS tunnel.  Since ESP does all of what AH does, are there any good reasons to use AH?

1 Accepted Solution

Accepted Solutions

ghostinthenet
Level 7
Level 7

Let me edit this because I didn't fully read the context.

It's a bit odd to see, but not out of the question. ESP has largely supplanted AH because authentication/integrity and encryption can be handled in one protocol. AH is still valid in this scenario, but most just do everything with ESP now.

View solution in original post

5 Replies 5

ghostinthenet
Level 7
Level 7

Let me edit this because I didn't fully read the context.

It's a bit odd to see, but not out of the question. ESP has largely supplanted AH because authentication/integrity and encryption can be handled in one protocol. AH is still valid in this scenario, but most just do everything with ESP now.

Interesting.   But if you trust the MPLS tunnel for the encryption and total security, why bother with a second IPSec tunnel with AH?  Why not just route the data nominally, and let MPLS do all the security.  I don't see what you gain by doing AH ?   Maybe you don't trust some devices on the "inside"???

 

Most cases I've seen for IPSec on MPLS are due to being prudent about trusting the service provider. Others want to deploy technologies like DMVPN over MPLS to maintain discreet internal routing between sites without having to get the service provider involved for changes in how traffic flows.

In the first case, it's usually GET VPN that is used to provide a blanket encryption policy over the entire MPLS VRF. In the second, encryption sometimes isn't used at all.

When it comes to running this sort of thing, the decision isn't usually made due to technical factors. It's more about policy.

Okay, final thought. 

There is NO advantage to using AH, except that it uses fewer CPU cycles, and ONLY IF you don't want to encrypt the data. 

True statement?

That pretty much sums it up.

It's been argued in a few places on the Internet that there's no reason to even have AH anymore, though I've heard some contend that it has a better authentication mechanism than ESP. Personally, I haven't seen anything supporting this argument.