What Is AH? Security Definition
Also known as: Authentication Header, IPSec AH, RFC 4302
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
The Authentication Header (AH) is a security protocol defined in RFC 4302 that is part of the IPsec suite. It ensures that the data in an IP packet has not been tampered with during transit (integrity) and that it genuinely came from the claimed source (data origin authentication). AH also offers optional anti-replay protection by using a sequence number to detect duplicate or replayed packets. Unlike its counterpart ESP, AH does not provide confidentiality (encryption); it only authenticates the packet's payload and header fields. AH inserts its own header between the IP header and the transport layer header, and it authenticates the entire IP packet, including immutable fields in the outer IP header. This makes AH useful in scenarios where integrity and authentication are critical but encryption is not required or is handled separately. AH operates in either transport mode (protecting only the payload) or tunnel mode (protecting the entire original IP packet). It is commonly used in VPNs and secure communications where data authenticity is paramount.
Must Know for Exams
CompTIA Network+ (N10-008) tests AH primarily in the context of IPsec and VPN technologies. Exam focus areas include: (1) Understanding that AH provides authentication and integrity but not encryption – this is the most tested distinction between AH and ESP. (2) Knowing that AH operates at the network layer (Layer 3) and is part of the IPsec suite.
(3) Recognizing that AH is not compatible with NAT because NAT modifies the IP header, which invalidates the AH integrity check – this is a common exam trap. (4) Identifying the correct mode of operation: transport mode (protects payload) vs. tunnel mode (protects entire packet).
(5) Understanding the role of the Security Parameters Index (SPI) and sequence numbers in AH for security associations and anti-replay. Network+ questions may ask which protocol provides integrity without encryption, or which IPsec protocol cannot traverse NAT. Candidates must also know that AH uses an Integrity Check Value (ICV) and that it authenticates the entire packet, including immutable IP header fields.
Simple Meaning
Think of AH as a tamper-evident seal on a package. When you send a package, you put a special seal that breaks if anyone opens or alters the package. The recipient can see that the seal is intact and know the package hasn't been tampered with.
However, the seal doesn't hide what's inside—anyone can still read the contents. Similarly, AH ensures that the data inside an IP packet hasn't been changed and that it came from the right sender, but it doesn't encrypt the data. So if you're sending a postcard with a tamper-evident sticker, the message is visible but you can prove it wasn't altered.
That's AH: it's about trust and integrity, not secrecy.
Full Technical Definition
AH is defined in RFC 4302 (obsoletes RFC 2402) and operates at the network layer (Layer 3) of the OSI model. It is a component of the IPsec protocol suite. AH provides connectionless integrity, data origin authentication, and optional anti-replay protection.
It does not provide confidentiality (encryption). The AH header is inserted after the IP header and before the transport layer header (e.g., TCP/UDP). The AH header contains the following fields: Next Header (8 bits) – indicates the type of the next payload; Payload Length (8 bits) – length of AH in 32-bit words minus 2; Reserved (16 bits) – must be zero; Security Parameters Index (SPI) (32 bits) – identifies the security association; Sequence Number (32 bits) – monotonically increasing counter for anti-replay; Integrity Check Value (ICV) (variable) – cryptographic checksum over the packet (including immutable IP header fields).
AH authenticates the entire IP packet, including fields in the IP header that do not change in transit (e.g., source/destination IP, protocol). Fields that change (like TTL, header checksum) are set to zero before ICV calculation.
AH can be used in transport mode (protects payload and selected IP header fields) or tunnel mode (protects entire original IP packet, including original IP header). Compared to ESP, AH authenticates more of the packet (including outer IP header in tunnel mode) but does not encrypt. In modern IPsec implementations, ESP with null encryption is often preferred over AH because it can also provide authentication and can traverse NAT more easily.
AH is not compatible with NAT because NAT modifies the IP header, which breaks AH's integrity check.
Real-Life Example
A multinational corporation uses IPsec VPNs to connect its branch offices. The security policy requires that all traffic between the headquarters and the branch office be authenticated to prevent spoofing and tampering, but encryption is not mandated because the traffic is already encrypted at the application layer. The network administrator configures an IPsec tunnel using AH in tunnel mode between two VPN gateways.
When a user in the branch office sends a file to headquarters, the packet is encapsulated with an AH header. The gateway calculates an Integrity Check Value (ICV) over the entire original IP packet and some immutable fields of the new outer IP header. The receiving gateway verifies the ICV.
If a malicious actor intercepts the packet and modifies any part of it (e.g., changes the destination IP), the ICV will not match, and the packet is discarded. The administrator also enables anti-replay with a window size of 64 packets.
If an attacker captures a valid packet and tries to replay it later, the sequence number will be outside the window, and the packet is rejected. This ensures that only authentic, non-replayed traffic reaches the headquarters network.
Why This Term Matters
Understanding AH is critical for IT professionals because it is a fundamental building block of IPsec, which is widely used for secure VPNs and site-to-site communications. AH provides a way to ensure data integrity and authenticity without the overhead of encryption, which is important in environments where encryption is already provided by other means or where performance is a concern. Troubleshooting IPsec issues often involves understanding whether AH or ESP is in use, as AH is incompatible with NAT and can cause connectivity problems in NAT environments.
Knowledge of AH helps in designing secure networks, selecting appropriate security protocols, and diagnosing authentication failures. For career growth, expertise in IPsec and its components like AH is expected for network engineers, security analysts, and anyone pursuing CompTIA Network+, Security+, or CCNA certifications.
How It Appears in Exam Questions
Exam questions often present a scenario where a network administrator needs to ensure data integrity and authentication but not encryption. The correct answer is AH. Another pattern: 'Which IPsec protocol is incompatible with NAT?'
– the answer is AH because NAT changes the IP header, breaking the ICV. A third pattern: 'Which IPsec protocol provides anti-replay protection?' – both AH and ESP can provide anti-replay, but the question may specify 'without encryption,' leading to AH.
A fourth pattern: 'In IPsec transport mode, which parts of the packet are authenticated by AH?' – the answer is the payload and selected IP header fields (immutable). Wrong answers often include ESP (which provides encryption), SSL/TLS (which operates at higher layers), or confusing AH with authentication headers in other contexts.
To spot the correct answer, look for keywords like 'integrity only,' 'no encryption,' 'authentication without confidentiality,' or 'NAT incompatibility.'
Practise AH Questions
Test your understanding with exam-style practice questions.
Example Scenario
1. Alice wants to send a message to Bob securely but doesn't need to hide the message, only ensure it isn't tampered with. 2. Alice's computer uses IPsec with AH. It creates an AH header containing a sequence number and a cryptographic hash (ICV) of the entire packet (including IP header fields that don't change).
3. The packet is sent over the internet. An attacker intercepts the packet and changes the destination IP address to their own computer. 4. Bob's computer receives the packet and recalculates the ICV.
Because the IP header was modified, the calculated ICV does not match the one in the AH header. 5. Bob's computer discards the packet and logs an authentication failure. Bob knows that the message was tampered with and does not trust it.
6. If the packet had arrived intact, Bob would have verified the ICV and accepted the message as authentic.
Common Mistakes
AH provides encryption.
AH does not encrypt any part of the packet. It only provides integrity and authentication. Encryption is provided by ESP. Confusing the two is a common error.
Remember: AH = Authentication only, no encryption. ESP = Encryption plus optional authentication.
AH can traverse NAT without issues.
AH authenticates the IP header, including source and destination IP addresses. NAT changes these addresses, causing the integrity check to fail. Therefore, AH is incompatible with NAT.
AH + NAT = broken. Use ESP with null encryption if you need authentication through NAT.
AH operates at the transport layer (Layer 4).
AH is part of IPsec and operates at the network layer (Layer 3). It is inserted between the IP header and the transport header, but it is a network-layer protocol.
AH is Layer 3 (network layer). Think of it as an extension of the IP header.
Exam Trap — Don't Get Fooled
{"trap":"The most dangerous misconception is that AH provides confidentiality (encryption). Candidates often choose AH when a question asks for a protocol that provides both authentication and encryption, confusing it with ESP.","why_learners_choose_it":"The name 'Authentication Header' sounds like it might include security features beyond authentication.
Also, many study resources group AH and ESP together, leading learners to assume AH does encryption too.","how_to_avoid_it":"Remember the rule: 'AH = Authentication only, no Hiding.' If the question mentions encryption, confidentiality, or secrecy, the answer is ESP, not AH.
Always check for the word 'encryption' in the scenario."
Commonly Confused With
ESP provides both encryption (confidentiality) and optional authentication/integrity. AH provides only authentication and integrity, no encryption. ESP also authenticates less of the packet (does not authenticate the outer IP header in tunnel mode).
If you need to hide the data, use ESP. If you only need to prove it hasn't been tampered with, use AH.
SSL/TLS operates at the transport layer (Layer 4) and secures specific application connections (e.g., HTTPS). AH operates at the network layer (Layer 3) and secures all IP traffic between two hosts or networks.
SSL secures a single web session; AH secures all packets between two VPN gateways.
Step-by-Step Breakdown
Step 1 — Packet Construction
The sending host or security gateway constructs an IP packet with the original payload (e.g., TCP segment). It then inserts an AH header between the IP header and the payload.
Step 2 — ICV Calculation
The sender calculates an Integrity Check Value (ICV) over the entire IP packet, including immutable fields in the IP header (e.g., source/destination IP, protocol). Fields that change (TTL, checksum) are set to zero for calculation.
Step 3 — AH Header Insertion
The AH header is populated with the SPI (identifies the security association), sequence number (for anti-replay), and the computed ICV. The packet is then sent to the destination.
Step 4 — Packet Reception and Verification
The receiver uses the SPI to look up the security association and the shared secret key. It recalculates the ICV over the received packet (again zeroing out mutable fields).
Step 5 — Integrity Check
The receiver compares the recalculated ICV with the one in the AH header. If they match, the packet is accepted as authentic and untampered. If not, the packet is discarded and logged.
Practical Mini-Lesson
Core Concept: AH is an IPsec protocol that provides data integrity, data origin authentication, and optional anti-replay protection for IP packets. It does not encrypt the payload. How it works: When a packet is sent using AH, an AH header is inserted between the IP header and the transport layer header.
The AH header contains a Security Parameters Index (SPI) to identify the security association, a sequence number for anti-replay, and an Integrity Check Value (ICV) that is a cryptographic hash computed over the entire IP packet (including immutable fields in the IP header). The receiving end recalculates the ICV and compares it to the one in the AH header. If they match, the packet is authentic and unchanged.
Comparison to similar technologies: ESP (Encapsulating Security Payload) also provides integrity and authentication but additionally offers encryption (confidentiality). ESP can also provide authentication alone (ESP with null encryption), which sometimes makes AH redundant. However, AH authenticates more of the packet (including outer IP header in tunnel mode) than ESP does.
SSL/TLS operates at the transport layer and provides encryption and authentication for specific applications, not for all IP traffic. Key takeaway: AH is used when you need to guarantee that a packet hasn't been altered and comes from a trusted source, but you don't need to hide the data. Remember that AH is not compatible with NAT because NAT changes the IP header, breaking the integrity check.
In modern networks, ESP with null encryption is often preferred over AH because it can traverse NAT more easily.
Memory Tip
Mnemonic: 'AH! No Encryption, Only Integrity!' – The exclamation 'AH!' reminds you that AH provides Authentication and integrity, but no encryption. The 'H' stands for Header, and the key exam fact: AH cannot pass through NAT because it authenticates the IP header.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
N10-009CompTIA Network+ →SY0-701CompTIA Security+ →200-301Cisco CCNA →220-1102CompTIA A+ Core 2 →SC-900SC-900 →CDLGoogle CDL →ISC2 CCISC2 CC →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
N10-008N10-009(current version)Related Glossary Terms
AH (Authentication Header) is an IPsec protocol that provides connectionless integrity, data origin authentication, and anti-replay protection for IP packets.
An AP (Access Point) bridges wireless clients to a wired network, acting as a central transceiver and controller for Wi-Fi communications.
An API is a set of rules that allows software applications to communicate and exchange data with each other.
BCP is a proactive process that creates a framework to ensure critical business functions continue during and after a disruptive event.
BNC (Bayonet Neill-Concelman Connector) is a miniature coaxial connector used for terminating coaxial cables in networking, video, and RF applications.
A BSSID is the MAC address of an access point's radio interface, uniquely identifying a wireless cell in a WLAN.
Frequently Asked Questions
Does AH encrypt the data in the packet?
No, AH does not provide any encryption. It only provides authentication (verifying the sender) and integrity (ensuring the data hasn't been altered). If you need encryption, you must use ESP or another encryption protocol.
How does AH compare to ESP?
ESP provides both encryption and optional authentication. AH provides only authentication and integrity. ESP is more commonly used because it can offer confidentiality, and ESP with null encryption can be used for authentication-only scenarios that are NAT-friendly.
Why is AH not compatible with NAT?
AH authenticates the entire IP packet, including the source and destination IP addresses. NAT changes these addresses, which causes the integrity check to fail. Therefore, AH cannot traverse NAT devices. ESP does not authenticate the outer IP header, so it works with NAT.
In which exam would I most likely see AH?
AH appears in CompTIA Network+, Security+, and Cisco CCNA exams. Network+ focuses on the basic distinction between AH and ESP. Security+ goes deeper into IPsec components. CCNA tests IPsec VPN configuration and troubleshooting.
When would I use AH instead of ESP?
AH is used when you need to guarantee integrity and authenticity but do not require encryption, perhaps because the data is already encrypted at a higher layer or because encryption is prohibited by policy. However, in practice, ESP with null encryption is often preferred because it is NAT-compatible.
Summary
(1) AH (Authentication Header) is an IPsec protocol that provides connectionless integrity, data origin authentication, and anti-replay protection, but does NOT provide encryption. (2) Its most critical technical property is that it authenticates the entire IP packet, including immutable fields in the IP header, making it incompatible with NAT. (3) The most important exam fact: AH is the IPsec protocol you choose when you need authentication and integrity without confidentiality; it is often contrasted with ESP which adds encryption.