Specifications
The IPsec Transport Protocols
88 AVM Access Server – 5 AVM Access Server Concepts and Functional Principles
Prevents replay and detects man-in-the-middle attacks: AH con-
tains a unique serial number that can be used to identify packets
replayed by a third party.
AH does not provide encryption of the data payload.
The diagram below illustrates the original packet and the IPsec encap-
sulated packet with AH.
Packet in its original state and encapsulated with Authentication Header
Properties of the Encapsulating Security Payload (ESP)
Encrypts the user data payload. In Tunnel Mode, the IP header is
also encrypted. The symmetrical encryption methods available in-
clude DES, 3DES, AES and others.
Authenticates the source of the payload data: ESP includes a
mechanism that allows the recipient to verify whether the source
of the data is authentic.
Prevents replay and detects man-in-the-middle attacks: ESP con-
tains a unique serial number that can be used to identify packets
replayed by a third party.
The diagram below illustrates the original packet and the ESP encapsu-
lated packet.
Packet in its original state and encapsulated with ESP
Payload data
IP header
Original packet
Payload data
IP header
Packet with Authentication Header in Tunnel Mode
New IP header
Authentication
Header
Payload dataIP header
Original packet
Payload dataIP headerESP header
Packet with ESP in Tunnel Mode
New
IP header
ESP trailer
ESP
authentication
encrypted
authenticated