Open In App

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy

Internet Protocol Authentication Header

There are two main advantages that Authentication Header provides,

Prerequisite: Internet Protocol version 6 (IPv6) Header IP Authentication Header is used to provide connection-less integrity and data origin authentication. 



When packet is sent from source A to Destination B, it consists of data that we need to send and header which consist of information regarding packet. Authentication Header verifies origin of data and also payload to confirm if there has been modification done in between, during transmission between source and destination. However, in transit, values of some IP header fields might change (like- Hop count, options, extension headers). So, values of such fields cannot be protected from Authentication header. Authentication header cannot protect every field of IP header. It provides protection to fields which are essential to be protected.

Authentication Header : The question may arise, that how IP header will know that adjacent Extension header is Authentication Header. Well, there is protocol field in IP Header which tells type of header that is present in packet. So, protocol field in IP Header should have value of “51” in order to detect Authentication Header.



  1. Next Header – Next Header is 8-bit field that identifies type of header present after Authentication Header. In case of TCP, UDP or destination header or some other extension header it will store correspondence IP protocol number . Like, number 4 in this field will indicate IPv4, number 41 will indicate IPv6 and number 6 will indicate TCP.
  2. Payload Length – Payload length is length of Authentication header and here we use scaling factor of 4. Whatever be size of header, divide it by 4 and then subtract by 2. We are subtracting by 2 because we’re not counting first 8 bytes of Authentication header, which is first two row of picture given above. It means we are not including Next Header, Payload length, Reserved and Security Parameter index in calculating payload length. Like, say if payload length is given to be X. Then (X+2)*4 will be original Authentication header length.
  3. Reserved – This is 16-bit field which is set to “zero” by sender as this field is reserved for future use.
  4. Security Parameter Index (SPI) – It is arbitrary 32-bit field. It is very important field which identifies all packets which belongs to present connection. If we’re sending data from Source A to Destination B. Both A and B will already know algorithm and key they are going to use. So for Authentication, hashing function and key will be required which only source and destination will know about. Secret key between A and B is exchanged by method of Diffie Hellman algorithm. So Hashing algorithm and secret key for Security parameter index of connection will be fixed. Before data transfer starts security association needs to be established. In Security Association, both parties needs to communicate prior to data exchange. Security association tells what is security parameter index, hashing algorithm and secret key that are being used.
  5. Sequence Number – This unsigned 32-bit field contains counter value that increases by one for each packet sent. Every packet will need sequence number. It will start from 0 and will go till  – 1 and there will be no wrap around. Say, if all sequence numbers are over and none of it is left but we cannot wrap around as it is not allowed. So, we will end connection and re-establish connection again to resume transfer of remaining data from sequence number 0. Basically sequence numbers are used to stop replay attack. In Replay attack, if same message is sent twice or more, receiver won’t be able to know if both messages are sent from a single source or not. Say, I am requesting 100$ from receiver and Intruder in between asked for another 100$. Receiver won’t be able to know that there is intruder in between.
  6. Authentication Data (Integrity Check Value) – Authentication data is variable length field that contains Integrity Check Value (ICV) for packet. Using hashing algorithm and secret key, sender will create message digest which will be sent to receiver. Receiver on other hand will use same hashing algorithm and secret key. If both message digest matches then receiver will accept data. Otherwise, receiver will discard it by saying that message has been modified in between. So basically, authentication data is used to verify integrity of transmission. Also length of Authentication data depends upon hashing algorithm you choose.

Modes of operations in Authentication Header:

There are two modes in the authentication header

  1. Authentication Header Transport Mode:  In the authentication header transport mode, it is lies between the original IP Header and IP Packets original TCP header.
  2. Authentication Header Tunnel Mode:  In this authentication header tunnel mode, the original IP packet is authenticated entire and the authentication header is inserted between the original IP header and new outer IP header. Here, the inner IP header contains the ultimate source IP address and destination IP address. whereas the outer IP header contains different IP address  that is IP address of the firewalls or other security gateways.

How does the header deals with Replay attack?

Conclusion: How Authentication Header can be useful?

  • Message Integrity is also known as Connection-less Integrity
  • Source Authentication
  • Replay attack protection
Article Tags :
Computer Networks
GATE CS
Recommended Articles
1. Internet Protocol version 6 (IPv6) Header
2. Difference between Serial Line Internet Protocol (SLIP) and Point-to-Point Protocol (PPP)
3. Difference between single-factor authentication and multi-factor authentication
4. internet vs Internet
5. Challenge Handshake Authentication Protocol (CHAP)
6. Password Authentication Protocol (PAP)
7. Network Time Protocol (NTP) Security and Authentication
8. Internet Telephony Protocol | H.323
9. Types of ICMP (Internet Control Message Protocol) Messages
10. What is IGMP(Internet Group Management Protocol)?
11. Ethernet Over Internet Protocol (EoIP)
12. IPsec (Internet Protocol Security) Tunnel and Transport Modes
13. Mobile Internet Protocol (or Mobile IP)
14. Multipurpose Internet Mail Extension (MIME) Protocol
15. Internet Protocol version 6 (IPv6)
16. Internet Message Access Protocol (IMAP)
17. Voice over Internet Protocol (VoIP)
18. Internet Control Message Protocol (ICMP)
19. What is Internet Protocol (IP)?
20. Hot Standby Router Protocol (HSRP) and Virtual Router Redundancy Protocol (VRRP)
21. Difference between Stop and Wait protocol and Sliding Window protocol
22. Difference between File Transfer Protocol (FTP) and Secure File Transfer Protocol (SFTP)
23. Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP) in Data Link Layer
24. Difference between Border Gateway Protocol (BGP) and Routing Information Protocol (RIP)
25. Difference between Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP)