Nt1310 Unit 3 Network Analysis

explanatory Essay
753 words
753 words

Authentication Header (AH) and Encapsulating Security Payload (ESP) are a part of the IPSec components, they are network layer protocols allowing secured communications through a VPN tunnel. Within a firewall to enable communication for AH one will use protocol 50 and for ESP protocol 51 (Frankel, Hoffman, Orebaugh & Park, 2008), both protocols 50 and 51 can be enable within the same end-to-end IPSec connection which is the Tunnel Mode connected by two gateways. Nonetheless, for Transport Mode, there are some restrictions in the order in which they appear. While AH supports connectionless integrity and authentication of the packets, ESP provides data origin authentication and confidentiality through the use of encryption, both AH and ESP provide …show more content…

In this essay, the author

  • Explains that authentication header (ah) and encapsulating security payload (esp) are network layer protocols allowing secured communications through a vpn tunnel.
  • Explains tunnel mode is a gateway-to-gateway vpn connection, and transport mode encapsulates the entire packet. both ah and esp provide security for data being transmitted.
  • Explains the advantages of using ah and esp in conjunction within both transport mode or tunnel mode.
  • Explains the disadvantages of using both ah and esp in ipsec tunnel, such as the extra time and double effort in encryption and decryption process at the source and destination gateways.
  • Explains that ah and esp can be used in any order because tunnel mode encrypts the entire ip packet, whereas transport mode uses both.

While both AH and ESP provide a level of security for data being transmitted, a Tunnel Mode encrypts the entire IP packet and assign new headers creating a new and larger packet to protect original data and header alike, this method is frequently used in a Site-to-Site VPN. Also, a Tunnel Mode is less susceptible to attacks while data are in transit between the two gateways, as mentioned previously, tunnel mode encapsulates the entire …show more content…

Therefore, using both AH and ESP in the same VPN connection will require four SAs, while each direction requires a Security Association for AH or ESP individually, this will double the gateways’ effort in calculation of algorithm and phase I and II setup process, CPU utilization, also creates larger size packets and slower traffic at the bottleneck (gateways). Another issue with combining both AH and ESP encapsulation in the same end-to-end VPN connection will cause NAT issues, because the AH packets can change time-to-live (TTL) field, when AH goes through the entire IP packet including header with a message digest, if the field in the original packet is changed, the authentication fails and packet discarded, for this reason AH and NAT will not work together (Phifer, n.d.), hence if there is NAT being used in a VPN situation, AH + ESP is not

Get Access