Protocols ipsecah(7P)
NAME
ipsecah, AH - IPsec Authentication Header
SYNOPSIS
drv/ipsecah
DESCRIPTION
The ipsecah module (AH) provides strong integrity, authen-
tication, and partial sequence integrity (replay protection)
to IP datagrams. AH protects the parts of the IP datagram
that can be predicted by the sender as it will be received
by the receiver. For example, the IP TL field is not a
predictable field, and is not protected by AH.
AH is inserted between the IP header and the transport
header. The transport header can be TCP, UDP, ICMP, or
another IP header, if tunnels are being used. See tun(7M).
AH Device
AH is implemented as a module that is auto-pushed on top of
IP. The entry /dev/ipsecah is used for tuning AH with
ndd(1M).
Authentication Algorithms
Current authentication algorithms supported include HMAC-MD5
and HMAC-SHA-1. Each authentication algorithm has its own
key size and key format properties. You can obtain a list of
authentication algorithms and their properties by using the
ipsecalgs(1M) command. You can also use the functions
described in the getipsecalgbyname(3NSL) man page to
retrieve the properties of algorithms.
Security Considerations
Without replay protection enabled, AH is vulnerable to
replay attacks. AH does not protect against eavesdropping.
Data protected with AH can still be seen by an adversary.
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
SunOS 5.11 Last change: 20 May2003 1
Protocols ipsecah(7P)
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWcsr
Interface Stability Evolving
SEE ALSO
ipsecalgs(1M), ipsecconf(1M), ndd(1M), attributes(5),
getipsecalgbyname(3NSL), tun(7M), ip(7P), ipsec(7P),
ipsecesp(7P)
Kent, S. and Atkinson, R.RFC 2402, IP Authentication Header,
The Internet Society, 1998.
SunOS 5.11 Last change: 20 May2003 2
|
