ipsecah, AH - IPsec Authentication Header




     The  ipsecah  module  ("AH")  provides   strong   integrity,
     authentication,   and   partial  sequence  integrity (replay
     protection) to IP datagrams. AH protects the parts of the IP
     datagram  that can be predicted  by the sender as it will be
     received by the receiver.  For example,  the IP TTL field is
     not a predictable field, and is not protected by AH.

     AH  is  inserted between the IP  header  and  the  transport
     header.   The  transport  header can be  TCP,  UDP, ICMP, or
     another IP header, if tunnels are  being used. See tun(7M).

  Authentication Algorithms And The AH Device
     AH is implemented as a module that is auto-pushed   on   top
     of   IP.  The entry /dev/ipsecah is used for tuning AH  with
     ndd(1M), as well as to  allow  future  authentication  algo-
     rithms  to  be  loaded on top of AH.  Current authentication
     algorithms    include   HMAC-MD5   and   HMAC-SHA-1.     See
     authmd5h(7M) and authsha1(7P). Each authentication algorithm
     has its own  key size and key format properties.

  Security Considerations
     Without replay  protection  enabled,  AH  is  vulnerable  to
     replay  attacks.  AH does not protect against eavesdropping.
     Data protected with AH can still be seen by an adversary.


     See attributes(5)  for descriptions of the following  attri-

    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    | Availability                | SUNWcsr (32-bit)            |
    |                             | SUNWcarx (64-bit)           |
    | Interface Stability         | Evolving                    |


     ipsecconf(1M),   ndd(1M),    attributes(5),    authmd5h(7M),
     authsha1(7P), ip(7P), ipsec(7P), ipsecesp(7P), tun(7M)

     Kent, S. and Atkinson, R.RFC 2402, IP Authentication Header,
     The Internet Society, 1998.

Man(1) output converted with man2html