1ipsecah(7P) Protocols ipsecah(7P)
2
6 ipsecah, AH - IPsec Authentication Header
7
9 drv/ipsecah
10
13 The ipsecah module (AH) provides strong integrity, authentication, and
14 partial sequence integrity (replay protection) to IP datagrams. AH pro‐
15 tects the parts of the IP datagram that can be predicted by the sender
16 as it will be received by the receiver. For example, the IP TTL field
17 is not a predictable field, and is not protected by AH.
18 AH is inserted between the IP header and the transport header. The
21 transport header can be TCP, UDP, ICMP, or another IP header, if tun‐
22 nels are being used.
23 AH Device
25 AH is implemented as a module that is auto-pushed on top of IP. The
26 entry /dev/ipsecah is used for tuning AH with ndd(1M).
27 Authentication Algorithms
29 Current authentication algorithms supported include HMAC-MD5 and HMAC-
30 SHA-1. Each authentication algorithm has its own key size and key for‐
31 mat properties. You can obtain a list of authentication algorithms and
32 their properties by using the ipsecalgs(1M) command. You can also use
33 the functions described in the getipsecalgbyname(3NSL) man page to
34 retrieve the properties of algorithms.
35 Security Considerations
37 Without replay protection enabled, AH is vulnerable to replay attacks.
38 AH does not protect against eavesdropping. Data protected with AH can
39 still be seen by an adversary.
40
42 See attributes(5) for descriptions of the following attributes:
43 ┌─────────────────────────────┬─────────────────────────────┐
48 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
49 ├─────────────────────────────┼─────────────────────────────┤
50 │Availability │SUNWcsr │
51 │Interface Stability │Committed │
52 └─────────────────────────────┴─────────────────────────────┘
53
55 ipsecalgs(1M), ipsecconf(1M), ndd(1M), attributes(5), getipsecalgby‐
56 name(3NSL), ip(7P), ipsec(7P), ipsecesp(7P)
57 Kent, S. and Atkinson, R.RFC 2402, IP Authentication Header, The Inter‐
60 net Society, 1998.
61SunOS 5.11 25 Sep 2009 ipsecah(7P)