What Is an IPsec Authentication Header (AH)?

Updated on September 29, 2025

In the realm of network security, an Authentication Header (AH) is a protocol within the Internet Protocol Security (IPsec) suite. Its primary purpose is to provide data integrity and origin authentication for IP packets. Unlike other security protocols that might offer encryption, AH is specifically focused on ensuring that a packet has not been tampered with in transit and that it originates from the claimed sender. This makes AH a crucial component for securing network communications where confidentiality is not the main concern, but integrity and authenticity are paramount.

Definition and Core Concepts

An Authentication Header is a transport-layer protocol identified by IP protocol number 51. It is a fundamental part of the IPsec framework, which is designed to provide secure communication at the network layer (Layer 3). AH works by adding a header to an IP packet that contains a cryptographic hash of the entire packet, excluding fields that might change in transit, such as the Time-to-Live (TTL) field.

Foundational Concepts

• IPsec: A suite of protocols used to secure IP communications by authenticating and encrypting each IP packet.
• Integrity: The assurance that data has not been altered since it was originally sent. AH uses a hashing algorithm to provide this.
• Origin Authentication: The process of verifying that the packet’s sender is who they claim to be. AH uses a shared secret key in the hashing process to provide this.
• Transport Mode vs. Tunnel Mode: AH can be used in two modes. In Transport Mode, the AH header is inserted between the IP header and the transport-layer protocol (e.g., TCP or UDP), authenticating the payload but not the original IP header. In Tunnel Mode, the entire original IP packet is encapsulated within a new IP packet, and the AH header authenticates the entire inner packet.

How It Works

The AH protocol operates by performing a cryptographic checksum over the entire IP packet. The process involves a few key steps.

1. Packet Preparation: The sender creates an IP packet, including its payload.
2. Authentication Data Calculation: Using a cryptographic hashing algorithm (like SHA-256) and a shared secret key, the sender computes a hash value over the entire packet. This key is either pre-shared or derived from a key exchange protocol.
3. AH Header Creation: The sender places the computed hash value into the AH header, along with other fields like the Security Parameter Index (SPI).
4. Packet Transmission: The new packet, with the AH header included, is sent to the receiver.
5. Packet Receipt and Verification: The receiver gets the packet and re-computes the same hash value over the packet using the same algorithm and shared secret key.
6. Comparison: The receiver compares its newly computed hash with the hash value in the received AH header. If the two values match, the packet is considered authentic and its integrity is verified. If they do not match, the packet is discarded, as this indicates potential data corruption or a man-in-the-middle attack.

Key Features and Components

AH is defined by several distinct features that dictate its function within the IPsec suite. These characteristics differentiate it from other security protocols.

• Statelessness: AH provides stateless integrity checking. Each packet is authenticated independently without regard to previously sent packets.
• Limited Functionality: AH provides integrity and authentication but does not provide confidentiality (encryption). This is a critical distinction from IPsec’s other main protocol, Encapsulating Security Payload (ESP).
• Protocol ID 51: The Internet Assigned Numbers Authority (IANA) has assigned protocol number 51 to the Authentication Header protocol.
• Replay Protection: By itself, AH does not prevent replay attacks. However, IPsec uses sequence numbers within the AH header to prevent an attacker from re-transmitting a captured packet.

Use Cases and Applications

Because AH provides authentication and integrity without the overhead of encryption, it is applied in specific scenarios. Its use is most appropriate where data confidentiality is either unnecessary or handled by another layer.

• Securing Public Services: AH can be used when data is already encrypted by another protocol (e.g., HTTPS), but you need to ensure the IP packet itself has not been altered in transit.
• High-Speed Networks: In environments where performance is critical, the computational overhead of encryption can be a bottleneck. AH offers a lower-overhead alternative for ensuring data integrity.
• Internal Network Security: AH can provide a baseline of integrity for internal traffic. This is useful where the network is generally considered trusted but integrity checks are still required for compliance or policy enforcement.

Advantages and Trade-offs

The primary advantage of AH is its low computational overhead compared to encryption, which allows for strong data integrity and authentication with minimal performance impact. It provides a robust mechanism for verifying that data has not been modified and originates from a trusted source.

However, the main trade-off is that AH does not provide confidentiality, meaning the data can be read by an eavesdropper. It also has a well-known incompatibility with Network Address Translation (NAT) devices. A NAT device modifies the IP header to remap addresses, which invalidates the AH hash and causes the packet to be discarded. For this reason, Encapsulating Security Payload (ESP) is often preferred, as it is compatible with NAT and can provide both encryption and authentication.

Key Terms Appendix

• IPsec: A suite of protocols for securing IP communications at the network layer.
• Encapsulating Security Payload (ESP): An IPsec protocol that provides confidentiality, data origin authentication, integrity, and anti-replay services.
• Hash: A mathematical function that converts data of any size into a fixed-size value, used here to verify integrity.
• NAT (Network Address Translation): A method of remapping one IP address space into another, commonly used in routers.
• Man-in-the-Middle (MitM) Attack: An attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.