07-18-2014 01:25 PM - edited 02-21-2020 10:29 AM
I came across a configuration that uses an IPSEC transform-set of ah-sha-hmac esp-3des. This is a Cisco router, and it is running inside an MPLS tunnel. Since ESP does all of what AH does, are there any good reasons to use AH?
Solved! Go to Solution.
07-18-2014 03:02 PM
Let me edit this because I didn't fully read the context.
It's a bit odd to see, but not out of the question. ESP has largely supplanted AH because authentication/integrity and encryption can be handled in one protocol. AH is still valid in this scenario, but most just do everything with ESP now.
07-18-2014 03:02 PM
Let me edit this because I didn't fully read the context.
It's a bit odd to see, but not out of the question. ESP has largely supplanted AH because authentication/integrity and encryption can be handled in one protocol. AH is still valid in this scenario, but most just do everything with ESP now.
07-18-2014 03:06 PM
Interesting. But if you trust the MPLS tunnel for the encryption and total security, why bother with a second IPSec tunnel with AH? Why not just route the data nominally, and let MPLS do all the security. I don't see what you gain by doing AH ? Maybe you don't trust some devices on the "inside"???
07-18-2014 03:13 PM
Most cases I've seen for IPSec on MPLS are due to being prudent about trusting the service provider. Others want to deploy technologies like DMVPN over MPLS to maintain discreet internal routing between sites without having to get the service provider involved for changes in how traffic flows.
In the first case, it's usually GET VPN that is used to provide a blanket encryption policy over the entire MPLS VRF. In the second, encryption sometimes isn't used at all.
When it comes to running this sort of thing, the decision isn't usually made due to technical factors. It's more about policy.
07-18-2014 03:22 PM
Okay, final thought.
There is NO advantage to using AH, except that it uses fewer CPU cycles, and ONLY IF you don't want to encrypt the data.
True statement?
07-18-2014 03:36 PM
That pretty much sums it up.
It's been argued in a few places on the Internet that there's no reason to even have AH anymore, though I've heard some contend that it has a better authentication mechanism than ESP. Personally, I haven't seen anything supporting this argument.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide