Navigation
IPSec Protocols
IPSec protocols determine the type of authentication and encryption applied to packets that are secured by the router. The Junos OS supports the following IPSec protocols:
- AH—Defined in RFC 2402, AH provides connectionless
integrity and data origin authentication for IPv4 and IPv6 packets.
It also provides protection against replays. AH authenticates as much
of the IP header as possible, as well as the upper-level protocol
data. However, some IP header fields may change in transit. Because
the value of these fields may not be predictable by the sender, they
cannot be protected by AH. In an IP header, AH can be identified with
a value of 51 in the Protocol field of an IPv4 packet
and the Next Header field of an IPv6 packet. An example of
the IPSec protection offered by AH is shown in Figure 1.
Note: AH is not supported on the T Series, M120, and M320 routers.
Figure 1: AH Protocol
- ESP—Defined in RFC 2406, ESP can provide encryption and limited traffic flow confidentiality, or connectionless integrity, data origin authentication, and an anti-replay service. In an IP header, ESP can be identified a value of 50 in the Protocol field of an IPv4 packet and the Next Header field of an IPv6 packet. An example of the IPSec protection offered by ESP is shown in Figure 2.
Figure 2: ESP Protocol
- Bundle—When you compare AH with ESP, there are some benefits and shortcomings in both protocols. ESP provides a decent level of authentication and encryption, but does so only for part of the IP packet. Conversely, although AH does not provide encryption, it does provide authentication for the entire IP packet. Because of this, the Junos OS offers a third form of IPSec protocol called a protocol bundle. The bundle option offers a hybrid combination of AH authentication with ESP encryption.
