Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
828
Views
10
Helpful
5
Replies

Why would anyone use Authentication Header in a transform set ?

Go to solution
jimmyc_2
Level 1
Level 1

‎07-18-2014 01:25 PM - edited ‎02-21-2020 10:29 AM

I came across a configuration that uses an IPSEC transform-set of ah-sha-hmac esp-3des.  This is a Cisco router, and it is running inside an MPLS tunnel.  Since ESP does all of what AH does, are there any good reasons to use AH?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ghostinthenet
Level 7
Level 7

‎07-18-2014 03:02 PM

Let me edit this because I didn't fully read the context.

It's a bit odd to see, but not out of the question. ESP has largely supplanted AH because authentication/integrity and encryption can be handled in one protocol. AH is still valid in this scenario, but most just do everything with ESP now.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
ghostinthenet
Level 7
Level 7

‎07-18-2014 03:02 PM

Let me edit this because I didn't fully read the context.

It's a bit odd to see, but not out of the question. ESP has largely supplanted AH because authentication/integrity and encryption can be handled in one protocol. AH is still valid in this scenario, but most just do everything with ESP now.

0 Helpful

Go to solution
jimmyc_2
Level 1
Level 1
In response to ghostinthenet

‎07-18-2014 03:06 PM

Interesting.   But if you trust the MPLS tunnel for the encryption and total security, why bother with a second IPSec tunnel with AH?  Why not just route the data nominally, and let MPLS do all the security.  I don't see what you gain by doing AH ?   Maybe you don't trust some devices on the "inside"???

 

0 Helpful

Go to solution
ghostinthenet
Level 7
Level 7
In response to jimmyc_2

‎07-18-2014 03:13 PM

Most cases I've seen for IPSec on MPLS are due to being prudent about trusting the service provider. Others want to deploy technologies like DMVPN over MPLS to maintain discreet internal routing between sites without having to get the service provider involved for changes in how traffic flows.

In the first case, it's usually GET VPN that is used to provide a blanket encryption policy over the entire MPLS VRF. In the second, encryption sometimes isn't used at all.

When it comes to running this sort of thing, the decision isn't usually made due to technical factors. It's more about policy.

Go to solution
jimmyc_2
Level 1
Level 1
In response to ghostinthenet

‎07-18-2014 03:22 PM

Okay, final thought. 

There is NO advantage to using AH, except that it uses fewer CPU cycles, and ONLY IF you don't want to encrypt the data. 

True statement?

0 Helpful

Go to solution
ghostinthenet
Level 7
Level 7
In response to jimmyc_2

‎07-18-2014 03:36 PM

That pretty much sums it up.

It's been argued in a few places on the Internet that there's no reason to even have AH anymore, though I've heard some contend that it has a better authentication mechanism than ESP. Personally, I haven't seen anything supporting this argument.

Customers Also Viewed These Support Documents