Network+Security+CCNAIntermediate15 min read

What Is AH? Security Definition

Also known as: Authentication Header, IPSec AH

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

AH (Authentication Header) is a security protocol used within the IPsec suite to ensure that IP packets have not been tampered with during transit and that they originate from a legitimate source. Unlike its counterpart ESP (Encapsulating Security Payload), AH does not provide confidentiality or encryption; it focuses solely on authentication and integrity. It works by adding an authentication header to each IP packet, which contains a cryptographic hash (integrity check value) computed over the packet's payload and certain immutable fields in the IP header. This allows the receiver to verify that the packet was not modified en route and that it came from the claimed sender. AH operates at the network layer (Layer 3) and can be used in either transport mode (protecting only the payload) or tunnel mode (protecting the entire original IP packet). It was originally defined in RFC 1826 and later updated in RFC 4302. AH is essential for scenarios where data integrity and authentication are critical but encryption is not required or is handled separately.

Must Know for Exams

On the Network+ (N10-008) exam, AH is covered under Domain 4.0 (Network Security) and specifically objective 4.2 (Compare and contrast common networking vulnerabilities and threats, and explain common security technologies).

The exam focuses on: (1) AH's role in IPsec as an authentication-only protocol—candidates must know that AH does NOT provide encryption. (2) The difference between AH and ESP: AH provides integrity and authentication; ESP provides confidentiality (encryption) and optionally integrity. (3) AH modes: transport mode (protects payload) vs.

tunnel mode (protects entire packet). (4) AH's limitation with NAT: because AH authenticates the entire IP header, any NAT device that changes the source/destination IP will cause the integrity check to fail. This is a classic exam trap.

(5) Anti-replay protection: AH uses sequence numbers to prevent replay attacks. (6) The fact that AH operates at Layer 3 (Network layer). (7) Common use cases: when encryption is not needed but authentication is critical.

On Security+ (SY0-601), AH appears under Domain 3.0 (Implementation) and objective 3.2 (Given a scenario, implement secure network architecture concepts). The exam emphasizes comparing AH to ESP and understanding when to use each.

On CCNA (200-301), AH is part of IPsec VPN configuration and troubleshooting. Candidates must know how AH interacts with NAT and how to configure IPsec with AH. Exam questions often present a scenario where a VPN is failing after NAT, and the correct answer is to switch from AH to ESP or use NAT-T (NAT Traversal).

Simple Meaning

Imagine you are sending a sealed letter through the postal service. You want the recipient to know that the letter was not opened or changed along the way, and that it truly came from you. You do not care if someone reads the letter; you just need to prove it is authentic and unaltered.

To do this, you place a special tamper-proof seal on the envelope that only you can create. When the recipient gets the letter, they check the seal. If the seal is intact and matches your unique signature, they know the letter is genuine and unchanged.

AH works exactly like that seal. It does not hide the contents of the packet (no encryption), but it adds a cryptographic 'seal' that proves the packet's integrity and authenticity. If anyone modifies the packet in transit, the seal breaks, and the receiver discards the packet.

This is ideal for situations where you need to trust the source and ensure no tampering, but you do not need to keep the data secret.

Full Technical Definition

AH (Authentication Header) is a network-layer security protocol defined in RFC 4302 (obsoleting RFC 2402 and RFC 1826). It operates at the Internet Layer of the TCP/IP model, equivalent to Layer 3 of the OSI model. AH provides three primary security services: connectionless integrity (ensuring the packet has not been modified), data origin authentication (verifying the sender's identity), and optional anti-replay protection (using sequence numbers).

AH does NOT provide confidentiality; the packet payload remains in plaintext. The AH header is inserted after the IP header (and before the transport-layer header in transport mode, or before the inner IP header in tunnel mode). The AH header contains several fields: Next Header (identifies the next protocol), Payload Length (length of AH in 32-bit words minus 2), Reserved (set to zero), Security Parameters Index (SPI, identifies the security association), Sequence Number (used for anti-replay), and Integrity Check Value (ICV, a cryptographic hash computed over the entire packet including immutable IP header fields).

The ICV is calculated using a symmetric key shared between sender and receiver, typically using HMAC-SHA-1 or HMAC-MD5. AH protects the IP payload and those parts of the IP header that do not change in transit (e.g.

, source/destination addresses, but not TTL or checksum). This is crucial because NAT devices modify IP addresses, causing AH to fail when traversing NAT—a key limitation. AH can be used in transport mode (protecting upper-layer protocols like TCP/UDP) or tunnel mode (protecting the entire original IP packet).

Compared to ESP, AH provides authentication without encryption, while ESP can provide both (or just encryption). In practice, ESP is often preferred because it can offer confidentiality, and AH is less common due to NAT traversal issues.

Real-Life Example

A multinational corporation, Globex Corp, has a branch office in Singapore and its headquarters in New York. They need to exchange sensitive financial reports over the internet, but they already use a separate encryption layer (TLS) for the data. Their primary concern is ensuring that the packets have not been tampered with and that they truly originate from the Singapore office.

The network team configures an IPsec VPN using AH in tunnel mode between the two sites' border routers. When the Singapore router sends a packet, it computes an HMAC-SHA-1 hash over the entire original IP packet (including the source/destination IPs) and appends an AH header with the ICV. The packet traverses the internet.

At the New York router, the receiver recomputes the hash using the shared key and compares it to the ICV. If they match, the packet is accepted; if not, it is dropped. One day, an attacker intercepts a packet and tries to modify the destination IP to redirect it to a malicious server.

The ICV check fails because the IP header change alters the hash. The New York router discards the packet, and the attack is thwarted. Globex Corp successfully ensures data integrity and authenticity without the overhead of double encryption.

Why This Term Matters

Understanding AH is important for IT professionals because it represents a fundamental security concept: authentication without encryption. Many real-world scenarios require verifying the source and integrity of data without necessarily hiding its contents (e.g.

, public alerts, DNS updates, or routing protocol exchanges). AH is also a key component of IPsec, which is widely used in VPNs and secure site-to-site communications. Troubleshooting IPsec issues often involves understanding AH's limitations, especially its incompatibility with NAT.

Knowing AH helps professionals design secure networks that balance performance and security. For career growth, expertise in IPsec protocols like AH is valuable for roles in network security, firewall administration, and cloud networking. Certifications like Network+ and Security+ test AH concepts, making it a must-know for exam success.

How It Appears in Exam Questions

1. Comparison questions: 'Which IPsec protocol provides authentication but NOT encryption?' The answer is AH. Wrong answers often include ESP (which provides encryption) or SSL/TLS (which are not IPsec).

2. Scenario questions: 'A network administrator configures an IPsec VPN between two sites. After implementation, users report that the VPN works for some applications but fails for others.

The administrator discovers that NAT is being used. Which protocol is most likely causing the issue?' The correct answer is AH, because AH's integrity check fails when NAT modifies IP addresses.

Wrong answers might include ESP (which can work with NAT if configured correctly) or IKE (which handles key exchange). 3. Mode questions: 'In which IPsec mode does AH protect the entire original IP packet?'

Answer: tunnel mode. Wrong answers: transport mode (protects only payload), or 'both' (incorrect because transport mode does not protect the original IP header). 4. Feature questions: 'Which of the following is a service provided by AH?'

Options: confidentiality, integrity, encryption, or non-repudiation. Correct: integrity. Wrong: confidentiality (ESP provides that). 5. Troubleshooting questions: 'A security administrator notices that IPsec packets are being dropped at a NAT gateway.

Which protocol is being used?' Answer: AH. The question tests the known limitation.

Practise AH Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Step 1: Alice wants to send a message to Bob over an untrusted network. She uses AH in transport mode. Step 2: Alice's computer takes the original IP packet (IP header + TCP segment).

Step 3: The AH module inserts an AH header between the IP header and the TCP segment. The AH header includes a Security Parameters Index (SPI) and a sequence number. Step 4: Alice's computer computes an Integrity Check Value (ICV) using a shared secret key.

The ICV covers the TCP segment and the immutable parts of the IP header (source/destination IP, but not TTL or checksum). Step 5: The packet is sent. Bob receives it, extracts the AH header, recomputes the ICV using the same key, and compares it to the received ICV.

If they match, Bob knows the packet is authentic and unmodified. If not, he discards it.

Common Mistakes

Students think AH provides encryption (confidentiality) because it is part of IPsec.

AH is designed specifically for authentication and integrity, not confidentiality. Encryption is provided by ESP (Encapsulating Security Payload). AH does not encrypt the payload; it only adds a hash for integrity verification.

Remember: AH = Authentication Header, not Encryption Header. If you need encryption, use ESP.

Students believe AH works seamlessly with NAT (Network Address Translation).

AH authenticates the entire IP header, including source and destination IP addresses. NAT changes these addresses, causing the integrity check to fail. Therefore, AH packets are typically dropped by NAT devices unless NAT-T (NAT Traversal) is used with UDP encapsulation.

AH + NAT = broken. Use ESP with NAT-T if you need to traverse NAT.

Students think AH provides the same services as ESP but without encryption.

While both can provide authentication, ESP's authentication does not cover the outer IP header in tunnel mode, whereas AH authenticates the entire packet including the outer IP header. Also, ESP can provide encryption, which AH cannot.

AH authenticates the whole packet (including IP header); ESP authenticates only the payload (and optionally encrypts).

Exam Trap — Don't Get Fooled

{"trap":"The most dangerous exam trap is when a question describes a scenario where a VPN is failing after NAT, and the candidate selects 'ESP' as the cause, thinking ESP is incompatible with NAT. In reality, AH is the protocol that breaks with NAT, while ESP can work with NAT if NAT-T is used.","why_learners_choose_it":"Learners often confuse AH and ESP, and they know that IPsec has NAT issues.

They may have heard that 'IPsec doesn't work with NAT' and assume both protocols fail. They also might think that because ESP encrypts, it is more likely to be blocked, but the actual technical reason is AH's header authentication.","how_to_avoid_it":"Apply the rule: 'AH authenticates the IP header, so NAT changes break it.

ESP does not authenticate the IP header (in transport mode) or uses UDP encapsulation (NAT-T), so it can work with NAT.' When you see a NAT-related IPsec failure, immediately suspect AH, not ESP."

Commonly Confused With

AHvsESP (Encapsulating Security Payload)

AH provides authentication and integrity only, without encryption. ESP provides confidentiality (encryption) and optionally authentication/integrity. AH authenticates the entire IP packet (including the outer IP header in tunnel mode), while ESP's authentication typically covers only the payload (and ESP trailer).

Use AH when you need to verify the sender and integrity but don't need to hide the data (e.g., public DNS updates). Use ESP when you need to encrypt the data (e.g., VPN for confidential files).

AHvsIKE (Internet Key Exchange)

IKE is a protocol used to establish Security Associations (SAs) and exchange keys for IPsec (including AH and ESP). AH is the actual data-plane protocol that protects packets. IKE operates on UDP port 500 and is a control-plane protocol, while AH is a data-plane protocol (protocol number 51).

IKE is like the negotiation that sets up the rules; AH is the actual security guard that checks each packet.

Step-by-Step Breakdown

1

Step 1: Packet Construction

The sender has an IP packet (IP header + payload) ready to transmit. The IPsec implementation determines that this packet should be protected using AH based on the Security Policy Database (SPD).

2

Step 2: AH Header Insertion

The AH header is inserted between the IP header and the transport-layer header (in transport mode) or after the new outer IP header (in tunnel mode). The AH header includes fields like Next Header, Payload Length, SPI, and Sequence Number.

3

Step 3: Integrity Check Value (ICV) Calculation

The sender computes a cryptographic hash (e.g., HMAC-SHA-1) over the immutable parts of the IP header (source/destination IP, etc.) and the entire payload. This hash is placed in the ICV field of the AH header.

4

Step 4: Packet Transmission

The packet is sent over the network. The mutable fields in the IP header (like TTL and checksum) may change, but the ICV does not cover them, so the packet remains valid.

5

Step 5: Receiver Verification

The receiver extracts the AH header, recomputes the ICV using the same shared key and the received packet's immutable fields and payload. If the computed ICV matches the received ICV, the packet is accepted as authentic and unmodified. If not, the packet is discarded.

Practical Mini-Lesson

AH (Authentication Header) is one of two main IPsec protocols, the other being ESP. Its core purpose is to provide data integrity and authentication for IP packets without encryption. Think of it as a digital signature for the entire packet (except mutable fields).

How it works: The sender calculates a cryptographic hash (HMAC) over the packet payload and the immutable parts of the IP header. This hash is placed in the AH header. The receiver, using the same shared key, recalculates the hash.

If it matches, the packet is authentic and unaltered. Key fields in the AH header: Next Header (8 bits) indicates the protocol following AH (e.g., TCP=6). Payload Length (8 bits) is the length of AH in 32-bit words minus 2.

Reserved (16 bits) is zero. SPI (32 bits) identifies the Security Association (SA) for this packet. Sequence Number (32 bits) is a monotonically increasing counter used for anti-replay.

ICV (variable) is the Integrity Check Value. AH operates in two modes: Transport mode (protects only the payload, leaving the original IP header intact) and Tunnel mode (protects the entire original IP packet by encapsulating it in a new IP header). Comparison to ESP: ESP can provide encryption (confidentiality) and optionally authentication, while AH provides only authentication.

ESP's authentication does not cover the outer IP header (in tunnel mode), but AH's authentication covers the entire packet (including outer IP header in tunnel mode). However, this also means AH breaks with NAT because NAT changes the IP header. Configuration notes: AH uses Security Associations (SAs) established by IKE (Internet Key Exchange).

In practice, AH is less common than ESP because most deployments need encryption, and ESP can also provide authentication. However, AH is still used in specialized scenarios where encryption is not required or is already provided by another layer. Key takeaway: AH = authentication + integrity, no encryption.

Remember: 'AH, I see you are authentic, but I can read your mail.'

Memory Tip

Think 'AH' as 'Authentication Header, no Hiding.' The 'H' in AH stands for Header, but also reminds you it does not Hide data (no encryption). Another mnemonic: 'AH! I know who you are and that you haven't changed, but I don't care if others see you.'

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

N10-008N10-009(current version)
SY0-601SY0-701(current version)

Related Glossary Terms

Frequently Asked Questions

Does AH encrypt the data in the packet?

No, AH does not provide encryption. It only provides authentication and integrity. The payload remains in plaintext. If you need encryption, you must use ESP or combine AH with another encryption protocol.

What is the difference between AH and ESP in terms of the services they provide?

AH provides connectionless integrity, data origin authentication, and anti-replay protection. ESP provides confidentiality (encryption) and optionally integrity and authentication. ESP can also provide anti-replay. AH does not encrypt; ESP can encrypt.

Why does AH not work with NAT?

AH authenticates the entire IP header, including source and destination IP addresses. NAT changes these addresses, which causes the integrity check to fail. The receiver will compute a different ICV and drop the packet. ESP can work with NAT because it does not authenticate the outer IP header (in transport mode) or uses UDP encapsulation (NAT-T).

On which OSI layer does AH operate?

AH operates at the Network Layer (Layer 3) of the OSI model, or the Internet Layer of the TCP/IP model. It is an IP protocol (protocol number 51) and is inserted after the IP header.

When would you choose AH over ESP in a real network?

You would choose AH when you need to ensure data integrity and authenticity but do not require confidentiality. For example, if the data is already encrypted by an upper-layer protocol (like TLS) or if the data is not sensitive (e.g., public routing updates). However, in practice, ESP is more commonly used because it can provide both encryption and authentication.

Summary

1. AH (Authentication Header) is an IPsec protocol that provides connectionless integrity, data origin authentication, and anti-replay protection for IP packets, but it does NOT provide confidentiality (encryption). 2.

Its key technical property is that it authenticates the entire IP packet, including immutable parts of the IP header, which makes it incompatible with NAT (since NAT modifies IP addresses and breaks the integrity check). 3. The most important exam fact: AH is the IPsec protocol you choose when you need to verify that data has not been tampered with and that it comes from a legitimate source, but you do not need to encrypt the data.

Remember: AH = Authentication only, no Encryption.