System Administration Guide: IP Services

Security Considerations When Using AH and ESP

The following table compares the protections that are provided by AH and ESP.

Table 19–2 Protections Provided by AH and ESP in IPsec

Protocol 

Packet Coverage 

Protection 

Against Attacks 

AH 

Protects packet from the IP header to the transport header 

Provides strong integrity, data authentication: 

  • Ensures that the receiver receives exactly what the sender sent

  • Is susceptible to replay attacks when an AH does not enable replay protection

Replay, cut-and-paste 

ESP 

Protects packet following the beginning of ESP in the datagram. 

With encryption option, encrypts the IP datagram. Ensures confidentiality 

Eavesdropping 

With authentication option, provides the same protection as AH 

Replay, cut-and-paste 

With both options, provides strong integrity, data authentication, and confidentiality 

Replay, cut-and-paste, eavesdropping