CertiGuide to Security+  9  Chapter 2:  Communication Security (Domain 2.0; 20%)       9  2.1  Remote Access            9  2.1.7  IPSEC

2.1.7  IPSEC 1 IPSec Transport and Tunnel Modes

IPSec packet types include the authentication header (AH) for data integrity and the encapsulating security payload (ESP) for data confidentiality and integrity.

The authentication header (AH) protocol creates an envelope that provides integrity, data origin identification and protection against replay attacks. It authenticates every packet as a defense against session-stealing attacks. Although the IP header itself is outside the AH header, AH also provides limited verification of it by not allowing changes to the IP header after packet creation (note that this usually precludes the use of AH in NAT environments, which modify packet headers at the point of NAT). AH packets use IP protocol 51.

The encapsulating security payload (ESP) protocol provides the features of AH (except for IP header authentication), plus encryption. It can also be used in a null encryption mode that provides the AH protection against replay attacks and other such attacks, without encryption or IP header authentication. This can allow for achieving some of the benefits of IPSec in a NAT environment that would not ordinarily work well with IPSec. ESP packets use IP protocol 50.

2.1.7  IPSEC 1 IPSec Transport and Tunnel Modes