AH

Authentication Header

A component of the IPsec protocol suite that provides connectionless integrity, data origin authentication, and optional anti-replay protection for IP packets. Unlike encryption protocols, AH does not hide the contents of the packet’s payload; instead, it ensures that the data has not been altered in transit and that it originates from a trusted source.

AH works by adding a header to the IP packet that contains authentication information generated using a shared secret key and a cryptographic hash function, typically through mechanisms like HMAC combined with SHA-1 or SHA-2. This header covers most of the IP packet, including portions of the IP header itself, so that any unauthorized changes are detectable.

Because AH does not encrypt data, it is often used in scenarios where confidentiality is not required but integrity and authentication are critical. However, in many practical deployments, Encapsulating Security Payload (ESP) is preferred, as it can provide both encryption and authentication, making AH less common in modern IPsec configurations.

AH supports both Transport mode, which authenticates only the payload and certain header fields, and Tunnel mode, which authenticates the entire IP packet within a new IP header, typically for network-to-network VPNs.