Notizen:
The Authentication Header protocol (AH) is the IP protocol 51. It is not based on UDP like IKE. This protocol does not implement any port numbers!
AH offers data integrity checking and authentication of the packets. To achieve this AH uses a Message Authentication Code (MAC). This code is calculated using a hash function. The input to the hash function is a secret key and the message to be authenticated.
The AH protocol header immediately follows the IP header. If the sender wants to protect the data to be send using AH he calculates the MAC based on the packet and the shared secret. The MAC is then entered into the AH header and the packet is sent. The recipient may calculate the MAC using the identical algorithm and can compare his result with the MAC stored int the AH header. If the MACs differ the message was either modified in transit or the message was sent by a party with no access to the shared key.
AH even protects parts of the IP header. The hash function takes into account all immutable information stored in the IP header.
Additionally AH offers like ESP protection against a replay attack. Each packet is sent using an incremented sequence number. When the SA is initialized the sequence numbers are set to 0. Before the sequence number may overflow the SA has to be renegotiated.