|
IP Authentication Header
The IP Authentication Header (also known as IP AH) is used for both authentication and data integrity. IP AH is used between two or more hosts or gateways which support the protocol.
All IP AH implementations must support keyed MD5. When IPv6 is full implemented, every host must use a 128-bit key with MD5. Other authentication algorithims may be used in addition to MD5 -- but MD5 must always be present for the configuration to be true IP AH.
In IPv4, the IP authentication header is between the IP header and upper level protocols. In IPv6 there may be other fields which arenīt in IPv4 -- but the AH must always be between the IP header and upper level protocols.
The format of the AH consists of a top level of Next Header" (eight bits) which identifies the data after the authentication payload. Next is Payload Length (eight bits) which provides the length of authentication data field in 32-bit words. Following is a sixteen bit reserved area.
The next level is the Security Parameter Index. Itīs a 32-bit pseudo-random binary which identifies the security association. A value of 0 means no security association is present.
The final and third level is the Authentication Data, which has a variable length but is always a number of 32-bit words. RFC 1826 states that only those algorithms which are cryptographically strong one-way functions should be used for Authentication Data. |
