Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Why would anyone use Authentication Header in a transform set ?

I came across a configuration that uses an IPSEC transform-set of ah-sha-hmac esp-3des.  This is a Cisco router, and it is running inside an MPLS tunnel.  Since ESP does all of what AH does, are there any good reasons to use AH?

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

It depends on whether you

Let me edit this because I didn't fully read the context.

It's a bit odd to see, but not out of the question. ESP has largely supplanted AH because authentication/integrity and encryption can be handled in one protocol. AH is still valid in this scenario, but most just do everything with ESP now.

5 REPLIES

It depends on whether you

Let me edit this because I didn't fully read the context.

It's a bit odd to see, but not out of the question. ESP has largely supplanted AH because authentication/integrity and encryption can be handled in one protocol. AH is still valid in this scenario, but most just do everything with ESP now.

New Member

Interesting.   But if you

Interesting.   But if you trust the MPLS tunnel for the encryption and total security, why bother with a second IPSec tunnel with AH?  Why not just route the data nominally, and let MPLS do all the security.  I don't see what you gain by doing AH ?   Maybe you don't trust some devices on the "inside"???

 

Most cases I've seen for

Most cases I've seen for IPSec on MPLS are due to being prudent about trusting the service provider. Others want to deploy technologies like DMVPN over MPLS to maintain discreet internal routing between sites without having to get the service provider involved for changes in how traffic flows.

In the first case, it's usually GET VPN that is used to provide a blanket encryption policy over the entire MPLS VRF. In the second, encryption sometimes isn't used at all.

When it comes to running this sort of thing, the decision isn't usually made due to technical factors. It's more about policy.

New Member

Okay, final thought. There is

Okay, final thought. 

There is NO advantage to using AH, except that it uses fewer CPU cycles, and ONLY IF you don't want to encrypt the data. 

True statement?

Out of the box, yes.By

That pretty much sums it up.

It's been argued in a few places on the Internet that there's no reason to even have AH anymore, though I've heard some contend that it has a better authentication mechanism than ESP. Personally, I haven't seen anything supporting this argument.

189
Views
10
Helpful
5
Replies