101
0/228
Loading content...
IPSec's security services—confidentiality, integrity, authentication, and anti-replay—are implemented by two distinct security protocols: the Authentication Header (AH) and the Encapsulating Security Payload (ESP). These protocols define the exact packet formats, transformation rules, and processing requirements that turn a vulnerable IP packet into a protected one.
Understanding these protocols at the wire level is essential for:
While modern deployments almost exclusively use ESP (and you'll understand why by the end of this page), AH remains part of the IPSec standard and appears in legacy configurations. Complete IPSec mastery requires understanding both protocols.
By the end of this page, you will understand: (1) the Authentication Header protocol format and operation, (2) the Encapsulating Security Payload format and operation, (3) why ESP has largely replaced AH in modern deployments, (4) protocol selection criteria, and (5) how to interpret IPSec packets in network captures.
The Authentication Header (AH) protocol provides data origin authentication, connectionless integrity, and anti-replay protection for IP packets. AH does not provide confidentiality—packets protected by AH are authenticated but not encrypted.
IP Protocol Number: 51
Defined in: RFC 4302 (obsoletes RFC 2402)
Security Services Provided:
Key Characteristic: AH authenticates the entire IP packet, including (most) IP header fields. This is more complete authentication than ESP provides, but creates significant practical problems (especially with NAT).
AH Header Format:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Header | Payload Len | RESERVED |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Security Parameters Index (SPI) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number Field |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Integrity Check Value (ICV) +
| (variable length) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Minimum header size: 12 bytes + ICV (typically 12-32 bytes depending on algorithm)
| Field | Size | Purpose |
|---|---|---|
| Next Header | 8 bits | Protocol type of the following header. In transport mode: original protocol (6=TCP, 17=UDP). In tunnel mode: 4=IPv4, 41=IPv6. |
| Payload Length | 8 bits | Length of AH header in 32-bit words minus 2. For 24-byte AH header: (24/4)-2 = 4. |
| Reserved | 16 bits | Reserved for future use. Must be zero. |
| SPI | 32 bits | Identifies the Security Association (+ destination IP + protocol). Chosen by receiver during SA negotiation. |
| Sequence Number | 32 bits | Monotonically increasing counter for anti-replay protection. Extended to 64 bits with ESN. |
| ICV | Variable (must be 32-bit aligned) | Integrity Check Value—the cryptographic MAC output. Typically 12-16 bytes (96-128 bits). |
AH Authentication Scope:
AH's defining characteristic is that it authenticates the outer IP header in addition to the payload. However, some IP header fields change in transit (TTL is decremented by routers, header checksum is recalculated, flags may change with fragmentation). To handle this:
Immutable Fields (included in ICV calculation):
Mutable Fields (set to zero for ICV calculation):
How it works:
NAT (Network Address Translation) modifies source and/or destination IP addresses—the very fields that AH authenticates as immutable. When NAT changes these addresses, the ICV becomes invalid, and the receiver discards the packet. There is no workaround. If NAT exists in your path, you CANNOT use AH. This single limitation has made AH largely obsolete in the modern Internet where NAT is ubiquitous.
AH Transport Mode Packet Structure:
Original:
| IPv4 Header | TCP Header | Data |
Proto=6
After AH (Transport Mode):
| IPv4 Header | AH Header | TCP Header | Data |
Proto=51 Next=6
←───────────── Authenticated (except mutable fields) ─────────────→
AH Tunnel Mode Packet Structure:
Original:
| IPv4 Header | TCP Header | Data |
Src: Host A
Dst: Host B
After AH (Tunnel Mode):
| New IPv4 Header | AH Header | Original IPv4 Header | TCP Header | Data |
Src: Gateway A Next=4 Src: Host A
Dst: Gateway B Proto=51 Dst: Host B
Proto=51
←────────────────── Authenticated (except mutable fields) ──────────────────→
In tunnel mode, both the outer (new) header and the inner (original) header are authenticated. The original header is not encrypted, so while authenticated, it remains visible to observers.
The Encapsulating Security Payload (ESP) protocol provides confidentiality, data origin authentication, connectionless integrity, and anti-replay protection. ESP is the workhorse of modern IPSec deployments, providing all the security services organizations typically require.
IP Protocol Number: 50
Defined in: RFC 4303 (obsoletes RFC 2406)
Security Services Provided:
Key Characteristic: ESP encrypts the payload, providing confidentiality in addition to authentication. Unlike AH, ESP does NOT authenticate the outer IP header—this makes ESP compatible with NAT but means the IP header is not integrity-protected.
ESP Packet Format:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ----
| Security Parameters Index (SPI) | ^
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Sequence Number | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ --+-- Authenticated
| Payload Data (variable) | | (and Encrypted
~ ~ | starting here)
| | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| | Padding (0-255 bytes) | |
+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| | Pad Length | Next Header | v
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ----
| Integrity Check Value (ICV) (variable) |
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Field | Size | Encrypted? | Authenticated? | Purpose |
|---|---|---|---|---|
| SPI | 32 bits | No | Yes | Identifies Security Association. Must be ≥ 256 (0-255 reserved). |
| Sequence Number | 32 bits | No | Yes | Anti-replay counter. High-order 32 bits implicit with ESN. |
| Payload Data | Variable | Yes | Yes | Transport: Original L4 header + data. Tunnel: Entire original packet. |
| Padding | 0-255 bytes | Yes | Yes | Aligns to encryption block boundary. May include TFC padding. |
| Pad Length | 8 bits | Yes | Yes | Number of padding bytes preceding this field. |
| Next Header | 8 bits | Yes | Yes | Protocol of encapsulated data (6=TCP, 17=UDP, 4=IPv4, 41=IPv6). |
| ICV | Variable | No | N/A (is the auth) | Integrity Check Value—MAC over SPI through Next Header. |
ESP Encryption and Authentication Boundaries:
Understanding exactly what is encrypted vs. authenticated is critical:
| IP Header | SPI | Seq# | Encrypted: (Payload + Padding + Pad Len + Next Header) | ICV |
|_____|______|_________________________________________________|
↓
Authenticated portion
|_____|______|__________________________________________________|
|
Not encrypted (needed for SA lookup)
AEAD Mode (AES-GCM):
With AEAD algorithms, encryption and authentication are combined:
Non-AEAD Mode (AES-CBC + HMAC):
With traditional encrypt-then-MAC:
ESP can use 'NULL encryption' (ESP_NULL) to provide authentication without confidentiality—essentially mimicking AH's security services but in ESP format. This is useful for testing, debugging, or environments with export restrictions on encryption. The packet structure is identical, but the payload is transmitted in cleartext.
ESP Transport Mode Packet Structure:
Original:
| IPv4 Header | TCP Header | Data |
Proto=6
After ESP (Transport Mode):
| IPv4 Header | ESP Hdr | Encrypted:(TCP Header + Data + Pad + PL + NH) | ICV |
Proto=50 SPI+Seq ←────────── Encrypted ──────────→
←────────────────── Authenticated ──────────────────→
ESP Tunnel Mode Packet Structure:
Original:
| IPv4 Header | TCP Header | Data |
Src: Host A
Dst: Host B
After ESP (Tunnel Mode):
| New IPv4 Hdr | ESP Hdr | Encrypted:(Orig IPv4 Hdr + TCP Hdr + Data + Pad + PL + NH) | ICV |
Src: GW_A SPI+Seq ←──────────────────── Encrypted ────────────────────→
Dst: GW_B
Proto=50 ←─────────────────────── Authenticated ───────────────────────→
In tunnel mode, the original IP header is encrypted, providing traffic flow confidentiality—observers can't see the internal source/destination addresses.
Understanding the differences between AH and ESP is essential for protocol selection and troubleshooting. While ESP dominates modern deployments, the comparison illuminates important IPSec concepts.
| Feature | AH (Protocol 51) | ESP (Protocol 50) |
|---|---|---|
| Confidentiality | ❌ Not provided | ✅ Encryption (AES-GCM, etc.) |
| Data Origin Authentication | ✅ HMAC-based | ✅ HMAC or AEAD tag |
| Connectionless Integrity | ✅ Full packet | ✅ ESP header + payload |
| Anti-Replay | ✅ Sequence numbers | ✅ Sequence numbers |
| IP Header Protection | ✅ Immutable fields authenticated | ❌ IP header not covered |
| NAT Compatibility | ❌ Completely broken | ✅ Works with NAT-T |
| Header Size (typical) | ~24 bytes | ~8 bytes + ICV (~16) = ~24 bytes |
| Modern Deployment | Rare (legacy only) | Standard (nearly universal) |
| RFC | RFC 4302 | RFC 4303 |
Why ESP Dominates Modern Deployments:
Several factors have led to ESP's near-universal adoption:
NAT Ubiquity: NAT is everywhere—home routers, corporate firewalls, carrier-grade NAT, cloud load balancers. AH simply doesn't work through NAT. ESP with NAT-T (UDP encapsulation) traverses NAT seamlessly.
Confidentiality Expected: In an era of pervasive surveillance concerns, encryption is expected for any VPN. AH's authentication-only approach doesn't meet modern security requirements.
ESP-NULL Alternative: When only authentication is needed, ESP with NULL encryption provides the same security as AH without NAT problems.
AEAD Algorithms: Modern AEAD algorithms (AES-GCM) combine encryption and authentication efficiently. Using ESP with AEAD is simpler and faster than using AH for authentication plus another mechanism for encryption.
Header Protection Rarely Needed: The IP header authentication that AH provides is valuable in theory but rarely necessary in practice. Most attacks target payload content, not IP headers. When header tampering is a concern, other mechanisms (like signed routing in BGPsec) address it more appropriately.
AH appears in very specific scenarios: (1) Regulatory environments that prohibit encryption but require authentication; (2) Legacy systems configured years ago; (3) Certain government networks with specific assurance requirements; (4) Combined with ESP for IP header protection in controlled (no-NAT) environments. If you encounter AH in production, it's likely a legacy configuration worth reviewing.
Understanding the exact processing steps helps with troubleshooting and security analysis. Let's trace ESP processing for both sending and receiving.
Outbound ESP Processing (Sender):
Inbound ESP Processing (Receiver):
IPSec mandates verification before decryption for non-AEAD algorithms. Processing unauthenticated ciphertext can lead to oracle attacks where decryption errors reveal information about the plaintext. AEAD algorithms (AES-GCM) inherently couple authentication and decryption, avoiding this issue. Always verify ICV before acting on decrypted content.
RFC 4301 permits using both AH and ESP together on the same packet. This provides defense-in-depth: ESP encrypts the payload, while AH authenticates the IP header that ESP cannot protect.
Combined Processing (ESP then AH):
The recommended order is to apply ESP first, then AH:
Original:
| IP Header | TCP Header | Data |
After ESP:
| IP Header | ESP Header | Encrypted Payload | ICV |
After AH (applied to ESP-protected packet):
| IP Header | AH Header | ESP Header | Encrypted Payload | ESP ICV |
Proto=51 Next=50
←─────────── AH authenticates entire packet ───────────→
Why ESP First?
Applying ESP before AH means:
If AH were applied first, the ESP processing would occur after AH, meaning ESP couldn't benefit from AH's IP header protection.
| Direction | First Protocol | Second Protocol | Result |
|---|---|---|---|
| Outbound | ESP (encrypt + auth) | AH (IP header auth) | ESP inside AH wrapper |
| Inbound | AH (verify) | ESP (decrypt + verify) | Strip AH, then ESP |
Practical Considerations:
Combining AH and ESP is rare in practice due to:
NAT Incompatibility: AH breaks NAT, so the combination doesn't work in most real-world networks.
Diminishing Returns: The additional protection from AH (IP header authentication) is rarely worth the complexity and overhead.
Implementation Support: Not all IPSec implementations support combined AH+ESP bundles.
Performance Overhead: Two separate cryptographic operations per packet.
When Combined AH+ESP Might Be Used:
For environments concerned about IP header manipulation, consider using ESP in tunnel mode. The outer IP header (which is unprotected) contains only gateway addresses, while the original IP header is encrypted inside the ESP payload. This provides equivalent security without AH's NAT incompatibility.
When analyzing packet captures (Wireshark, tcpdump), you'll encounter IPSec traffic frequently. Here's how to identify and interpret it:
Quick Identification:
| Indicator | Meaning |
|---|---|
| Protocol = 50 | ESP (Encapsulating Security Payload) |
| Protocol = 51 | AH (Authentication Header) |
| UDP port 500 | IKE (Key Exchange) negotiation |
| UDP port 4500 | IKE/ESP with NAT-Traversal |
Wireshark Display:
Frame 123: 154 bytes on wire
Internet Protocol Version 4, Src: 203.0.113.1, Dst: 198.51.100.1
Protocol: ESP (50)
Encapsulating Security Payload
ESP SPI: 0xc32a7b91 (3274668945)
ESP Sequence: 15847
ESP Payload (encrypted)
Without decryption keys, Wireshark shows only the ESP header (SPI, sequence number) and notes the payload is encrypted.
Decrypting ESP in Wireshark:
For troubleshooting, Wireshark can decrypt ESP if you provide the Security Association parameters:
Example SA Configuration in Wireshark:
SPI: 0xc32a7b91
Encryption: AES-GCM-256
Key: 0x02e8a5f7c9b1d4e8a5f7c9b1d4e8a5f7c9b1d4e8a5f7c9b1d4e8a5f7c9b1d4e8
Authentication: (implicit in GCM)
NAT-T Detection:
NAT-Traversal encapsulates ESP in UDP. In captures:
Frame 456: 178 bytes on wire
Internet Protocol Version 4, Src: 198.51.100.1, Dst: 203.0.113.1
User Datagram Protocol, Src Port: 4500, Dst Port: 4500
Non-ESP Marker: 0 (ESP encapsulated data)
Encapsulating Security Payload
ESP SPI: 0xd4b8e2c1
ESP Sequence: 9821
The Non-ESP Marker (4 zero bytes) indicates ESP data rather than IKE control traffic.
| Traffic Pattern | What It Indicates |
|---|---|
| UDP 500 exchanges followed by Protocol 50 | Normal IKE negotiation then ESP tunnel (no NAT) |
| UDP 500 exchanges then all traffic on UDP 4500 | NAT detected, switched to NAT-T mode |
| Protocol 51 only | AH-only (rare, authentication without encryption) |
| Protocol 51 followed by Protocol 50 | Combined AH+ESP bundle (very rare) |
| Periodic UDP 500/4500 exchanges | IKE rekey operations |
| ESP with increasing sequence numbers | Healthy, active tunnel |
| ESP with sequence gaps | Packet loss or anti-replay window issues |
Useful Wireshark display filters: esp (ESP packets), ah (AH packets), isakmp (IKE negotiation), esp.spi == 0xc32a7b91 (specific SA), udp.port == 4500 (NAT-T traffic). For troubleshooting, capture on both endpoints and compare SPI values and sequence numbers.
We've examined the two protocols that implement IPSec security services. Let's consolidate the key insights:
What's Next:
With a solid understanding of IPSec protocols, we now examine the IPSec architecture—the security databases (SPD, SAD), Security Associations, and the control plane (IKE) that manages the entire system. This architectural foundation ties together everything we've learned about purposes, services, modes, and protocols.
You now understand IPSec's two security protocols: AH for authentication-only (but NAT-incompatible) and ESP for full security services (encryption + authentication). You can trace packet processing steps, interpret captures, and make informed protocol selection decisions. Next, we'll explore the IPSec architecture that orchestrates these protocols.