Network Working Group                                            S. Kent
Request for Comments: 4302                              BBN Technologies
Obsoletes: 2402                                            December 2005
Category: Standards Track


                        IP Authentication Header

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document describes an updated version of the IP Authentication
   Header (AH), which is designed to provide authentication services in
   IPv4 and IPv6.  This document obsoletes RFC 2402 (November 1998).

Table of Contents

   1. Introduction ....................................................3
   2. Authentication Header Format ....................................4
      2.1. Next Header ................................................5
      2.2. Payload Length .............................................5
      2.3. Reserved ...................................................6
      2.4. Security Parameters Index (SPI) ............................6
      2.5. Sequence Number ............................................8
           2.5.1. Extended (64-bit) Sequence Number ...................8
      2.6. Integrity Check Value (ICV) ................................9
   3. Authentication Header Processing ................................9
      3.1. Authentication Header Location .............................9
           3.1.1. Transport Mode ......................................9
           3.1.2. Tunnel Mode ........................................11
      3.2. Integrity Algorithms ......................................11
      3.3. Outbound Packet Processing ................................11
           3.3.1. Security Association Lookup ........................12
           3.3.2. Sequence Number Generation .........................12
           3.3.3. Integrity Check Value Calculation ..................13
                  3.3.3.1. Handling Mutable Fields ...................13
                  3.3.3.2. Padding and Extended Sequence Numbers .....16



Kent                        Standards Track                     [Page 1]


RFC 4302                IP Authentication Header           December 2005


           3.3.4. Fragmentation ......................................17
      3.4. Inbound Packet Processing .................................18
           3.4.1. Reassembly .........................................18
           3.4.2. Security Association Lookup ........................18
           3.4.3. Sequence Number Verification .......................19
           3.4.4. Integrity Check Value Verification .................20
   4. Auditing .......................................................21
   5. Conformance Requirements .......................................21
   6. Security Considerations ........................................22
   7. Differences from RFC 2402 ......................................22
   8. Acknowledgements ...............................................22
   9. References .....................................................22
      9.1. Normative References ......................................22
      9.2. Informative References ....................................23
   Appendix A: Mutability of IP Options/Extension Headers ............25
      A1. IPv4 Options ...............................................25
      A2. IPv6 Extension Headers .....................................26
   Appendix B: Extended (64-bit) Sequence Numbers ....................28
      B1. Overview ...................................................28
      B2. Anti-Replay Window .........................................28
          B2.1. Managing and Using the Anti-Replay Window ............29
          B2.2. Determining the Higher-Order Bits (Seqh) of the
                Sequence Number ......................................30
          B2.3. Pseudo-Code Example ..................................31
      B3. Handling Loss of Synchronization due to Significant
          Packet Loss ................................................32
          B3.1. Triggering Re-synchronization ........................33
          B3.2. Re-synchronization Process ...........................33























Kent                        Standards Track                     [Page 2]


RFC 4302                IP Authentication Header           December 2005


1.  Introduction

   This document assumes that the reader is familiar with the terms and
   concepts described in the "Security Architecture for the Internet
   Protocol" [Ken-Arch], hereafter referred to as the Security
   Architecture document.  In particular, the reader should be familiar
   with the definitions of security services offered by the
   Encapsulating Security Payload (ESP) [Ken-ESP] and the IP
   Authentication Header (AH), the concept of Security Associations, the
   ways in which ESP can be used in conjunction with the Authentication
   Header (AH), and the different key management options available for
   ESP and AH.

   The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
   SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
   document, are to be interpreted as described in RFC 2119 [Bra97].

   The IP Authentication Header (AH) is used to provide connectionless
   integrity and data origin authentication for IP datagrams (hereafter
   referred to as just "integrity") and to provide protection against
   replays.  This latter, optional service may be selected, by the
   receiver, when a Security Association (SA) is established.  (The
   protocol default requires the sender to increment the sequence number
   used for anti-replay, but the service is effective only if the
   receiver checks the sequence number.)  However, to make use of the
   Extended Sequence Number feature in an interoperable fashion, AH does
   impose a requirement on SA management protocols to be able to
   negotiate this new feature (see Section 2.5.1 below).

   AH provides authentication for as much of the IP header as possible,
   as well as for next level protocol data.  However, some IP header
   fields may change in transit and the value of these fields, when the
   packet arrives at the receiver, may not be predictable by the sender.
   The values of such fields cannot be protected by AH.  Thus, the
   protection provided to the IP header by AH is piecemeal.  (See
   Appendix A.)

   AH may be applied alone, in combination with the IP Encapsulating
   Security Payload (ESP) [Ken-ESP], or in a nested fashion (see
   Security Architecture document [Ken-Arch]).  Security services can be
   provided between a pair of communicating hosts, between a pair of
   communicating security gateways, or between a security gateway and a
   host.  ESP may be used to provide the same anti-replay and similar
   integrity services, and it also provides a confidentiality
   (encryption) service.  The primary difference between the integrity
   provided by ESP and AH is the extent of the coverage.  Specifically,
   ESP does not protect any IP header fields unless those fields are




Kent                        Standards Track                     [Page 3]


RFC 4302                IP Authentication Header           December 2005


   encapsulated by ESP (e.g., via use of tunnel mode).  For more details
   on how to use AH and ESP in various network environments, see the
   Security Architecture document [Ken-Arch].

   Section 7 provides a brief review of the differences between this
   document and RFC 2402 [RFC2402].

2.  Authentication Header Format

   The protocol header (IPv4, IPv6, or IPv6 Extension) immediately
   preceding the AH header SHALL contain the value 51 in its Protocol
   (IPv4) or Next Header (IPv6, Extension) fields [DH98].  Figure 1
   illustrates the format for AH.

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Next Header   |  Payload Len  |          RESERVED             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                 Security Parameters Index (SPI)               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Sequence Number Field                      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   +                Integrity Check Value-ICV (variable)           |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                          Figure 1.  AH Format

   The following table refers to the fields that comprise AH,
   (illustrated in Figure 1), plus other fields included in the
   integrity computation, and illustrates which fields are covered by
   the ICV and what is transmitted.
                                                      What    What
                                     # of     Requ'd  Integ    is
                                     bytes     [1]    Covers  Xmtd
                                     ------   ------  ------  ------
          IP Header                  variable    M     [2]    plain
          Next Header                   1        M      Y     plain
          Payload Len                   1        M      Y     plain
          RESERVED                      2        M      Y     plain
          SPI                           4        M      Y     plain
          Seq# (low-order 32 bits)      4        M      Y     plain
          ICV                        variable    M      Y[3]  plain
          IP datagram [4]            variable    M      Y     plain
          Seq# (high-order 32 bits)     4      if ESN   Y     not xmtd
          ICV Padding                variable  if need  Y     not xmtd



Kent                        Standards Track                     [Page 4]


RFC 4302                IP Authentication Header           December 2005


       [1] - M = mandatory
       [2] - See Section 3.3.3, "Integrity Check Value Calculation", for
             details of which IP header fields are covered.
       [3] - Zeroed before ICV calculation (resulting ICV placed here
             after calculation)
       [4] - If tunnel mode -> IP datagram
             If transport mode -> next header and data

   The following subsections define the fields that comprise the AH
   format.  All the fields described here are mandatory; i.e., they are
   always present in the AH format and are included in the Integrity
   Check Value (ICV) computation (see Sections 2.6 and 3.3.3).

   Note: All of the cryptographic algorithms used in IPsec expect their
   input in canonical network byte order (see Appendix of RFC 791
   [RFC791]) and generate their output in canonical network byte order.
   IP packets are also transmitted in network byte order.

   AH does not contain a version number, therefore if there are concerns
   about backward compatibility, they MUST be addressed by using a
   signaling mechanism between the two IPsec peers to ensure compatible
   versions of AH, e.g., IKE [IKEv2] or an out-of-band configuration
   mechanism.

2.1.  Next Header

   The Next Header is an 8-bit field that identifies the type of the
   next payload after the Authentication Header.  The value of this
   field is chosen from the set of IP Protocol Numbers defined on the
   web page of Internet Assigned Numbers Authority (IANA).  For example,
   a value of 4 indicates IPv4, a value of 41 indicates IPv6, and a
   value of 6 indicates TCP.

2.2.  Payload Length

   This 8-bit field specifies the length of AH in 32-bit words (4-byte
   units), minus "2".  Thus, for example, if an integrity algorithm
   yields a 96-bit authentication value, this length field will be "4"
   (3 32-bit word fixed fields plus 3 32-bit words for the ICV, minus
   2).  For IPv6, the total length of the header must be a multiple of
   8-octet units.  (Note that although IPv6 [DH98] characterizes AH as
   an extension header, its length is measured in 32-bit words, not the
   64-bit words used by other IPv6 extension headers.)  See Section 2.6,
   "Integrity Check Value (ICV)", for comments on padding of this field,
   and Section 3.3.3.2.1, "ICV Padding".






Kent                        Standards Track                     [Page 5]


RFC 4302                IP Authentication Header           December 2005


2.3.  Reserved

   This 16-bit field is reserved for future use.  It MUST be set to
   "zero" by the sender, and it SHOULD be ignored by the recipient.
   (Note that the value is included in the ICV calculation, but is
   otherwise ignored by the recipient.)

2.4.  Security Parameters Index (SPI)

   The SPI is an arbitrary 32-bit value that is used by a receiver to
   identify the SA to which an incoming packet is bound.  For a unicast
   SA, the SPI can be used by itself to specify an SA, or it may be used
   in conjunction with the IPsec protocol type (in this case AH).
   Because for unicast SAs the SPI value is generated by the receiver,
   whether the value is sufficient to identify an SA by itself or
   whether it must be used in conjunction with the IPsec protocol value
   is a local matter.  The SPI field is mandatory, and this mechanism
   for mapping inbound traffic to unicast SAs described above MUST be
   supported by all AH implementations.

   If an IPsec implementation supports multicast, then it MUST support
   multicast SAs using the algorithm below for mapping inbound IPsec
   datagrams to SAs.  Implementations that support only unicast traffic
   need not implement this de-multiplexing algorithm.

   In many secure multicast architectures, e.g., [RFC3740], a central
   Group Controller/Key Server unilaterally assigns the group security
   association's SPI.  This SPI assignment is not negotiated or
   coordinated with the key management (e.g., IKE) subsystems that
   reside in the individual end systems that comprise the group.
   Consequently, it is possible that a group security association and a
   unicast security association can simultaneously use the same SPI.  A
   multicast-capable IPsec implementation MUST correctly de-multiplex
   inbound traffic even in the context of SPI collisions.

   Each entry in the Security Association Database (SAD) [Ken-Arch] must
   indicate whether the SA lookup makes use of the destination, or
   destination and source, IP addresses, in addition to the SPI.  For
   multicast SAs, the protocol field is not employed for SA lookups.
   For each inbound, IPsec-protected packet, an implementation must
   conduct its search of the SAD such that it finds the entry that
   matches the "longest" SA identifier.  In this context, if two or more
   SAD entries match based on the SPI value, then the entry that also
   matches based on destination, or destination and source, address
   comparison (as indicated in the SAD entry) is the "longest" match.
   This implies a logical ordering of the SAD search as follows:





Kent                        Standards Track                     [Page 6]


RFC 4302                IP Authentication Header           December 2005


           1. Search the SAD for a match on {SPI, destination
              address, source address}.  If an SAD entry
              matches, then process the inbound AH packet with that
              matching SAD entry.  Otherwise, proceed to step 2.

           2. Search the SAD for a match on {SPI, destination
              address}.  If an SAD entry matches, then process
              the inbound AH packet with that matching SAD
              entry.  Otherwise, proceed to step 3.

           3. Search the SAD for a match on only {SPI} if the receiver
              has chosen to maintain a single SPI space for AH and ESP,
              or on {SPI, protocol} otherwise.  If an SAD
              entry matches, then process the inbound AH packet with
              that matching SAD entry.  Otherwise, discard the packet
              and log an auditable event.

   In practice, an implementation MAY choose any method to accelerate
   this search, although its externally visible behavior MUST be
   functionally equivalent to having searched the SAD in the above
   order.  For example, a software-based implementation could index into
   a hash table by the SPI.  The SAD entries in each hash table bucket's
   linked list are kept sorted to have those SAD entries with the
   longest SA identifiers first in that linked list.  Those SAD entries
   having the shortest SA identifiers are sorted so that they are the
   last entries in the linked list.  A hardware-based implementation may
   be able to effect the longest match search intrinsically, using
   commonly available Ternary Content-Addressable Memory (TCAM)
   features.

   The indication of whether source and destination address matching is
   required to map inbound IPsec traffic to SAs MUST be set either as a
   side effect of manual SA configuration or via negotiation using an SA
   management protocol, e.g., IKE or Group Domain of Interpretation
   (GDOI) [RFC3547].  Typically, Source-Specific Multicast (SSM) [HC03]
   groups use a 3-tuple SA identifier composed of an SPI, a destination
   multicast address, and source address.  An Any-Source Multicast group
   SA requires only an SPI and a destination multicast address as an
   identifier.

   The set of SPI values in the range 1 through 255 is reserved by the
   Internet Assigned Numbers Authority (IANA) for future use; a reserved
   SPI value will not normally be assigned by IANA unless the use of the
   assigned SPI value is specified in an RFC.  The SPI value of zero (0)
   is reserved for local, implementation-specific use and MUST NOT be
   sent on the wire.  (For example, a key management implementation
   might use the zero SPI value to mean "No Security Association Exists"




Kent                        Standards Track                     [Page 7]


RFC 4302                IP Authentication Header           December 2005


   during the period when the IPsec implementation has requested that
   its key management entity establish a new SA, but the SA has not yet
   been established.)

2.5.  Sequence Number

   This unsigned 32-bit field contains a counter value that increases by
   one for each packet sent, i.e., a per-SA packet sequence number.  For
   a unicast SA or a single-sender multicast SA, the sender MUST
   increment this field for every transmitted packet.  Sharing an SA
   among multiple senders is permitted, though generally not
   recommended.  AH provides no means of synchronizing packet counters
   among multiple senders or meaningfully managing a receiver packet
   counter and window in the context of multiple senders.  Thus, for a
   multi-sender SA, the anti-reply features of AH are not available (see
   Sections 3.3.2 and 3.4.3).

   The field is mandatory and MUST always be present even if the
   receiver does not elect to enable the anti-replay service for a
   specific SA.  Processing of the Sequence Number field is at the
   discretion of the receiver, but all AH implementations MUST be
   capable of performing the processing described in Section 3.3.2,
   "Sequence Number Generation", and Section 3.4.3, "Sequence Number
   Verification".  Thus, the sender MUST always transmit this field, but
   the receiver need not act upon it.

   The sender's counter and the receiver's counter are initialized to 0
   when an SA is established.  (The first packet sent using a given SA
   will have a sequence number of 1; see Section 3.3.2 for more details
   on how the sequence number is generated.)  If anti-replay is enabled
   (the default), the transmitted sequence number must never be allowed
   to cycle.  Thus, the sender's counter and the receiver's counter MUST
   be reset (by establishing a new SA and thus a new key) prior to the
   transmission of the 2^32nd packet on an SA.

2.5.1.  Extended (64-bit) Sequence Number

   To support high-speed IPsec implementations, a new option for
   sequence numbers SHOULD be offered, as an extension to the current,
   32-bit sequence number field.  Use of an Extended Sequence Number
   (ESN) MUST be negotiated by an SA management protocol.  Note that in
   IKEv2, this negotiation is implicit; the default is ESN unless 32-bit
   sequence numbers are explicitly negotiated.  (The ESN feature is
   applicable to multicast as well as unicast SAs.)

   The ESN facility allows use of a 64-bit sequence number for an SA.
   (See Appendix B, "Extended (64-bit) Sequence Numbers", for details.)
   Only the low-order 32 bits of the sequence number are transmitted in



Kent                        Standards Track                     [Page 8]


RFC 4302                IP Authentication Header           December 2005


   the AH header of each packet, thus minimizing packet overhead.  The
   high-order 32 bits are maintained as part of the sequence number
   counter by both transmitter and receiver and are included in the
   computation of the ICV, but are not transmitted.

2.6.  Integrity Check Value (ICV)

   This is a variable-length field that contains the Integrity Check
   Value (ICV) for this packet.  The field must be an integral multiple
   of 32 bits (IPv4 or IPv6) in length.  The details of ICV processing
   are described in Section 3.3.3, "Integrity Check Value Calculation",
   and Section 3.4.4, "Integrity Check Value Verification".  This field
   may include explicit padding, if required to ensure that the length
   of the AH header is an integral multiple of 32 bits (IPv4) or 64 bits
   (IPv6).  All implementations MUST support such padding and MUST
   insert only enough padding to satisfy the IPv4/IPv6 alignment
   requirements.  Details of how to compute the required padding length
   are provided below in Section 3.3.3.2, "Padding".  The integrity
   algorithm specification MUST specify the length of the ICV and the
   comparison rules and processing steps for validation.

3.  Authentication Header Processing

3.1.  Authentication Header Location

   AH may be employed in two ways: transport mode or tunnel mode.  (See
   the Security Architecture document for a description of when each
   should be used.)

3.1.1.  Transport Mode

   In transport mode, AH is inserted after the IP header and before a
   next layer protocol (e.g., TCP, UDP, ICMP, etc.) or before any other
   IPsec headers that have already been inserted.  In the context of
   IPv4, this calls for placing AH after the IP header (and any options
   that it contains), but before the next layer protocol.  (Note that
   the term "transport" mode should not be misconstrued as restricting
   its use to TCP and UDP.)  The following diagram illustrates AH
   transport mode positioning for a typical IPv4 packet, on a "before
   and after" basis.











Kent                        Standards Track                     [Page 9]


RFC 4302                IP Authentication Header           December 2005


                   BEFORE APPLYING AH
             ----------------------------
       IPv4  |orig IP hdr  |     |      |
             |(any options)| TCP | Data |
             ----------------------------

                   AFTER APPLYING AH
             -------------------------------------------------------
       IPv4  |original IP hdr (any options) | AH | TCP |    Data   |
             -------------------------------------------------------
             |<- mutable field processing ->|<- immutable fields ->|
             |<----- authenticated except for mutable fields ----->|

   In the IPv6 context, AH is viewed as an end-to-end payload, and thus
   should appear after hop-by-hop, routing, and fragmentation extension
   headers.  The destination options extension header(s) could appear
   before or after or both before and after the AH header depending on
   the semantics desired.  The following diagram illustrates AH
   transport mode positioning for a typical IPv6 packet.

                        BEFORE APPLYING AH
             ---------------------------------------
       IPv6  |             | ext hdrs |     |      |
             | orig IP hdr |if present| TCP | Data |
             ---------------------------------------

                       AFTER APPLYING AH
            ------------------------------------------------------------
      IPv6  |             |hop-by-hop, dest*, |    | dest |     |      |
            |orig IP hdr  |routing, fragment. | AH | opt* | TCP | Data |
            ------------------------------------------------------------
            |<--- mutable field processing -->|<-- immutable fields -->|
            |<---- authenticated except for mutable fields ----------->|

                  * = if present, could be before AH, after AH, or both

   ESP and AH headers can be combined in a variety of modes.  The IPsec
   Architecture document describes the combinations of security
   associations that must be supported.

   Note that in transport mode, for "bump-in-the-stack" or "bump-in-
   the-wire" implementations, as defined in the Security Architecture
   document, inbound and outbound IP fragments may require an IPsec
   implementation to perform extra IP reassembly/fragmentation in order
   to both conform to this specification and provide transparent IPsec
   support.  Special care is required to perform such operations within
   these implementations when multiple interfaces are in use.




Kent                        Standards Track                    [Page 10]


RFC 4302                IP Authentication Header           December 2005


3.1.2.  Tunnel Mode

   In tunnel mode, the "inner" IP header carries the ultimate (IP)
   source and destination addresses, while an "outer" IP header contains
   the addresses of the IPsec "peers," e.g., addresses of security
   gateways.  Mixed inner and outer IP versions are allowed, i.e., IPv6
   over IPv4 and IPv4 over IPv6.  In tunnel mode, AH protects the entire
   inner IP packet, including the entire inner IP header.  The position
   of AH in tunnel mode, relative to the outer IP header, is the same as
   for AH in transport mode.  The following diagram illustrates AH
   tunnel mode positioning for typical IPv4 and IPv6 packets.

        ----------------------------------------------------------------
   IPv4 |                              |    | orig IP hdr*  |   |      |
        |new IP header * (any options) | AH | (any options) |TCP| Data |
        ----------------------------------------------------------------
        |<- mutable field processing ->|<------ immutable fields ----->|
        |<- authenticated except for mutable fields in the new IP hdr->|

        --------------------------------------------------------------
   IPv6 |           | ext hdrs*|    |            | ext hdrs*|   |    |
        |new IP hdr*|if present| AH |orig IP hdr*|if present|TCP|Data|
        --------------------------------------------------------------
        |<--- mutable field -->|<--------- immutable fields -------->|
        |       processing     |
        |<-- authenticated except for mutable fields in new IP hdr ->|

          * = if present, construction of outer IP hdr/extensions and
              modification of inner IP hdr/extensions is discussed in
              the Security Architecture document.

3.2.  Integrity Algorithms

   The integrity algorithm employed for the ICV computation is specified
   by the SA.  For point-to-point communication, suitable integrity
   algorithms include keyed Message Authentication Codes (MACs) based on
   symmetric encryption algorithms (e.g., AES [AES]) or on one-way hash
   functions (e.g., MD5, SHA-1, SHA-256, etc.).  For multicast
   communication, a variety of cryptographic strategies for providing
   integrity have been developed and research continues in this area.

3.3.  Outbound Packet Processing

   In transport mode, the sender inserts the AH header after the IP
   header and before a next layer protocol header, as described above.
   In tunnel mode, the outer and inner IP header/extensions can be





Kent                        Standards Track                    [Page 11]


RFC 4302                IP Authentication Header           December 2005


   interrelated in a variety of ways.  The construction of the outer IP
   header/extensions during the encapsulation process is described in
   the Security Architecture document.

3.3.1.  Security Association Lookup

   AH is applied to an outbound packet only after an IPsec
   implementation determines that the packet is associated with an SA
   that calls for AH processing.  The process of determining what, if
   any, IPsec processing is applied to outbound traffic is described in
   the Security Architecture document.

3.3.2.  Sequence Number Generation

   The sender's counter is initialized to 0 when an SA is established.
   The sender increments the sequence number (or ESN) counter for this
   SA and inserts the low-order 32 bits of the value into the Sequence
   Number field.  Thus, the first packet sent using a given SA will
   contain a sequence number of 1.

   If anti-replay is enabled (the default), the sender checks to ensure
   that the counter has not cycled before inserting the new value in the
   Sequence Number field.  In other words, the sender MUST NOT send a
   packet on an SA if doing so would cause the sequence number to cycle.
   An attempt to transmit a packet that would result in sequence number
   overflow is an auditable event.  The audit log entry for this event
   SHOULD include the SPI value, current date/time, Source Address,
   Destination Address, and (in IPv6) the cleartext Flow ID.

   The sender assumes anti-replay is enabled as a default, unless
   otherwise notified by the receiver (see Section 3.4.3) or if the SA
   was configured using manual key management.  Thus, typical behavior
   of an AH implementation calls for the sender to establish a new SA
   when the Sequence Number (or ESN) cycles, or in anticipation of this
   value cycling.

   If anti-replay is disabled (as noted above), the sender does not need
   to monitor or reset the counter, e.g., in the case of manual key
   management (see Section 5).  However, the sender still increments the
   counter and when it reaches the maximum value, the counter rolls over
   back to zero.  (This behavior is recommended for multi-sender,
   multicast SAs, unless anti-replay mechanisms outside the scope of
   this standard are negotiated between the sender and receiver.)

   If ESN (see Appendix B) is selected, only the low-order 32 bits of
   the sequence number are transmitted in the Sequence Number field,
   although both sender and receiver maintain full 64-bit ESN counters.
   However, the high-order 32 bits are included in the ICV calculation.



Kent                        Standards Track                    [Page 12]


RFC 4302                IP Authentication Header           December 2005


   Note: If a receiver chooses not to enable anti-replay for an SA, then
   the receiver SHOULD NOT negotiate ESN in an SA management protocol.
   Use of ESN creates a need for the receiver to manage the anti-replay
   window (in order to determine the correct value for the high-order
   bits of the ESN, which are employed in the ICV computation), which is
   generally contrary to the notion of disabling anti-replay for an SA.

3.3.3.  Integrity Check Value Calculation

   The AH ICV is computed over:

        o IP or extension header fields before the AH header that are
          either immutable in transit or that are predictable in value
          upon arrival at the endpoint for the AH SA
        o the AH header (Next Header, Payload Len, Reserved, SPI,
          Sequence Number (low-order 32 bits), and the ICV (which is set
          to zero for this computation), and explicit padding bytes (if
          any))
        o everything after AH is assumed to be immutable in transit
        o the high-order bits of the ESN (if employed), and any implicit
          padding required by the integrity algorithm

3.3.3.1.  Handling Mutable Fields

   If a field may be modified during transit, the value of the field is
   set to zero for purposes of the ICV computation.  If a field is
   mutable, but its value at the (IPsec) receiver is predictable, then
   that value is inserted into the field for purposes of the ICV
   calculation.  The Integrity Check Value field is also set to zero in
   preparation for this computation.  Note that by replacing each
   field's value with zero, rather than omitting the field, alignment is
   preserved for the ICV calculation.  Also, the zero-fill approach
   ensures that the length of the fields that are so handled cannot be
   changed during transit, even though their contents are not explicitly
   covered by the ICV.

   As a new extension header or IPv4 option is created, it will be
   defined in its own RFC and SHOULD include (in the Security
   Considerations section) directions for how it should be handled when
   calculating the AH ICV.  If the IP (v4 or v6) implementation
   encounters an extension header that it does not recognize, it will
   discard the packet and send an ICMP message.  IPsec will never see
   the packet.  If the IPsec implementation encounters an IPv4 option
   that it does not recognize, it should zero the whole option, using
   the second byte of the option as the length.  IPv6 options (in
   Destination Extension Headers or the Hop-by-Hop Extension Header)
   contain a flag indicating mutability, which determines appropriate
   processing for such options.



Kent                        Standards Track                    [Page 13]


RFC 4302                IP Authentication Header           December 2005


3.3.3.1.1.  ICV Computation for IPv4

3.3.3.1.1.1.  Base Header Fields

   The IPv4 base header fields are classified as follows:

   Immutable
           Version
           Internet Header Length
           Total Length
           Identification
           Protocol (This should be the value for AH.)
           Source Address
           Destination Address (without loose or strict source routing)

   Mutable but predictable
           Destination Address (with loose or strict source routing)

   Mutable (zeroed prior to ICV calculation)
           Differentiated Services Code Point (DSCP)
              (6 bits, see RFC 2474 [NBBB98])
           Explicit Congestion Notification (ECN)
              (2 bits, see RFC 3168 [RFB01])
           Flags
           Fragment Offset
           Time to Live (TTL)
           Header Checksum

   DSCP - Routers may rewrite the DS field as needed to provide a
   desired local or end-to-end service, thus its value upon reception
   cannot be predicted by the sender.

   ECN - This will change if a router along the route experiences
   congestion, and thus its value upon reception cannot be predicted by
   the sender.

   Flags - This field is excluded because an intermediate router might
   set the DF bit, even if the source did not select it.

   Fragment Offset - Since AH is applied only to non-fragmented IP
   packets, the Offset Field must always be zero, and thus it is
   excluded (even though it is predictable).

   TTL - This is changed en route as a normal course of processing by
   routers, and thus its value at the receiver is not predictable by the
   sender.





Kent                        Standards Track                    [Page 14]


RFC 4302                IP Authentication Header           December 2005


   Header Checksum - This will change if any of these other fields
   change, and thus its value upon reception cannot be predicted by the
   sender.

3.3.3.1.1.2.  Options

   For IPv4 (unlike IPv6), there is no mechanism for tagging options as
   mutable in transit.  Hence the IPv4 options are explicitly listed in
   Appendix A and classified as immutable, mutable but predictable, or
   mutable.  For IPv4, the entire option is viewed as a unit; so even
   though the type and length fields within most options are immutable
   in transit, if an option is classified as mutable, the entire option
   is zeroed for ICV computation purposes.

3.3.3.1.2.  ICV Computation for IPv6

3.3.3.1.2.1.  Base Header Fields

   The IPv6 base header fields are classified as follows:

   Immutable
           Version
           Payload Length
           Next Header
           Source Address
           Destination Address (without Routing Extension Header)

   Mutable but predictable
           Destination Address (with Routing Extension Header)

   Mutable (zeroed prior to ICV calculation)
           DSCP (6 bits, see RFC2474 [NBBB98])
           ECN (2 bits, see RFC3168 [RFB01])
           Flow Label (*)
           Hop Limit

        (*) The flow label described in AHv1 was mutable, and in
            RFC 2460 [DH98] was potentially mutable.  To retain
            compatibility with existing AH implementations, the
            flow label is not included in the ICV in AHv2.

3.3.3.1.2.2.  Extension Headers Containing Options

   IPv6 options in the Hop-by-Hop and Destination Extension Headers
   contain a bit that indicates whether the option might change
   (unpredictably) during transit.  For any option for which contents
   may change en-route, the entire "Option Data" field must be treated
   as zero-valued octets when computing or verifying the ICV.  The



Kent                        Standards Track                    [Page 15]


RFC 4302                IP Authentication Header           December 2005


   Option Type and Opt Data Len are included in the ICV calculation.
   All options for which the bit indicates immutability are included in
   the ICV calculation.  See the IPv6 specification [DH98] for more
   information.

3.3.3.1.2.3.  Extension Headers Not Containing Options

   The IPv6 extension headers that do not contain options are explicitly
   listed in Appendix A and classified as immutable, mutable but
   predictable, or mutable.

3.3.3.2.  Padding and Extended Sequence Numbers

3.3.3.2.1.  ICV Padding

   As mentioned in Section 2.6, the ICV field may include explicit
   padding if required to ensure that the AH header is a multiple of 32
   bits (IPv4) or 64 bits (IPv6).  If padding is required, its length is
   determined by two factors:

           - the length of the ICV
           - the IP protocol version (v4 or v6)

   For example, if the output of the selected algorithm is 96 bits, no
   padding is required for IPv4 or IPv6.  However, if a different length
   ICV is generated, due to use of a different algorithm, then padding
   may be required depending on the length and IP protocol version.  The
   content of the padding field is arbitrarily selected by the sender.
   (The padding is arbitrary, but need not be random to achieve
   security.)  These padding bytes are included in the ICV calculation,
   counted as part of the Payload Length, and transmitted at the end of
   the ICV field to enable the receiver to perform the ICV calculation.
   Inclusion of padding in excess of the minimum amount required to
   satisfy IPv4/IPv6 alignment requirements is prohibited.

3.3.3.2.2.  Implicit Packet Padding and ESN

   If the ESN option is elected for an SA, then the high-order 32 bits
   of the ESN must be included in the ICV computation.  For purposes of
   ICV computation, these bits are appended (implicitly) immediately
   after the end of the payload, and before any implicit packet padding.

   For some integrity algorithms, the byte string over which the ICV
   computation is performed must be a multiple of a blocksize specified
   by the algorithm.  If the IP packet length (including AH and the 32
   high-order bits of the ESN, if enabled) does not match the blocksize
   requirements for the algorithm, implicit padding MUST be appended to
   the end of the packet, prior to ICV computation.  The padding octets



Kent                        Standards Track                    [Page 16]


RFC 4302                IP Authentication Header           December 2005


   MUST have a value of zero.  The blocksize (and hence the length of
   the padding) is specified by the algorithm specification.  This
   padding is not transmitted with the packet.  The document that
   defines an integrity algorithm MUST be consulted to determine if
   implicit padding is required as described above.  If the document
   does not specify an answer to this, then the default is to assume
   that implicit padding is required (as needed to match the packet
   length to the algorithm's blocksize.)  If padding bytes are needed
   but the algorithm does not specify the padding contents, then the
   padding octets MUST have a value of zero.

3.3.4.  Fragmentation

   If required, IP fragmentation occurs after AH processing within an
   IPsec implementation.  Thus, transport mode AH is applied only to
   whole IP datagrams (not to IP fragments).  An IPv4 packet to which AH
   has been applied may itself be fragmented by routers en route, and
   such fragments must be reassembled prior to AH processing at a
   receiver.  (This does not apply to IPv6, where there is no router-
   initiated fragmentation.)  In tunnel mode, AH is applied to an IP
   packet, the payload of which may be a fragmented IP packet.  For
   example, a security gateway or a "bump-in-the-stack" or "bump-in-
   the-wire" IPsec implementation (see the Security Architecture
   document for details) may apply tunnel mode AH to such fragments.

   NOTE: For transport mode -- As mentioned at the end of Section 3.1.1,
   bump-in-the-stack and bump-in-the-wire implementations may have to
   first reassemble a packet fragmented by the local IP layer, then
   apply IPsec, and then fragment the resulting packet.

   NOTE: For IPv6 -- For bump-in-the-stack and bump-in-the-wire
   implementations, it will be necessary to examine all the extension
   headers to determine if there is a fragmentation header and hence
   that the packet needs reassembling prior to IPsec processing.

   Fragmentation, whether performed by an IPsec implementation or by
   routers along the path between IPsec peers, significantly reduces
   performance.  Moreover, the requirement for an AH receiver to accept
   fragments for reassembly creates denial of service vulnerabilities.
   Thus, an AH implementation MAY choose to not support fragmentation
   and may mark transmitted packets with the DF bit, to facilitate Path
   MTU (PMTU) discovery.  In any case, an AH implementation MUST support
   generation of ICMP PMTU messages (or equivalent internal signaling
   for native host implementations) to minimize the likelihood of
   fragmentation.  Details of the support required for MTU management
   are contained in the Security Architecture document.





Kent                        Standards Track                    [Page 17]


RFC 4302                IP Authentication Header           December 2005


3.4.  Inbound Packet Processing

   If there is more than one IPsec header/extension present, the
   processing for each one ignores (does not zero, does not use) any
   IPsec headers applied subsequent to the header being processed.

3.4.1.  Reassembly

   If required, reassembly is performed prior to AH processing.  If a
   packet offered to AH for processing appears to be an IP fragment,
   i.e., the OFFSET field is nonzero or the MORE FRAGMENTS flag is set,
   the receiver MUST discard the packet; this is an auditable event.
   The audit log entry for this event SHOULD include the SPI value,
   date/time, Source Address, Destination Address, and (in IPv6) the
   Flow ID.

   NOTE: For packet reassembly, the current IPv4 spec does NOT require
   either the zeroing of the OFFSET field or the clearing of the MORE
   FRAGMENTS flag.  In order for a reassembled packet to be processed by
   IPsec (as opposed to discarded as an apparent fragment), the IP code
   must do these two things after it reassembles a packet.

3.4.2.  Security Association Lookup

   Upon receipt of a packet containing an IP Authentication Header, the
   receiver determines the appropriate (unidirectional) SA via lookup in
   the SAD.  For a unicast SA, this determination is based on the SPI or
   the SPI plus protocol field, as described in Section 2.4.  If an
   implementation supports multicast traffic, the destination address is
   also employed in the lookup (in addition to the SPI), and the sender
   address also may be employed, as described in Section 2.4.  (This
   process is described in more detail in the Security Architecture
   document.)  The SAD entry for the SA also indicates whether the
   Sequence Number field will be checked and whether 32- or 64-bit
   sequence numbers are employed for the SA.  The SAD entry for the SA
   also specifies the algorithm(s) employed for ICV computation, and
   indicates the key required to validate the ICV.

   If no valid Security Association exists for this packet the receiver
   MUST discard the packet; this is an auditable event.  The audit log
   entry for this event SHOULD include the SPI value, date/time, Source
   Address, Destination Address, and (in IPv6) the Flow ID.

   (Note that SA management traffic, such as IKE packets, does not need
   to be processed based on SPI, i.e., one can de-multiplex this traffic
   separately based on Next Protocol and Port fields, for example.)





Kent                        Standards Track                    [Page 18]


RFC 4302                IP Authentication Header           December 2005


3.4.3.  Sequence Number Verification

   All AH implementations MUST support the anti-replay service, though
   its use may be enabled or disabled by the receiver on a per-SA basis.
   Anti-replay is applicable to unicast as well as multicast SAs.
   However, this standard specifies no mechanisms for providing anti-
   replay for a multi-sender SA (unicast or multicast).  In the absence
   of negotiation (or manual configuration) of an anti-replay mechanism
   for such an SA, it is recommended that sender and receiver checking
   of the Sequence Number for the SA be disabled (via negotiation or
   manual configuration), as noted below.

   If the receiver does not enable anti-replay for an SA, no inbound
   checks are performed on the Sequence Number.  However, from the
   perspective of the sender, the default is to assume that anti-replay
   is enabled at the receiver.  To avoid having the sender do
   unnecessary sequence number monitoring and SA setup (see Section
   3.3.2, "Sequence Number Generation"), if an SA establishment protocol
   such as IKE is employed, the receiver SHOULD notify the sender,
   during SA establishment, if the receiver will not provide anti-replay
   protection.

   If the receiver has enabled the anti-replay service for this SA, the
   receive packet counter for the SA MUST be initialized to zero when
   the SA is established.  For each received packet, the receiver MUST
   verify that the packet contains a Sequence Number that does not
   duplicate the Sequence Number of any other packets received during
   the life of this SA.  This SHOULD be the first AH check applied to a
   packet after it has been matched to an SA, to speed rejection of
   duplicate packets.

   Duplicates are rejected through the use of a sliding receive window.
   How the window is implemented is a local matter, but the following
   text describes the functionality that the implementation must
   exhibit.

   The "right" edge of the window represents the highest, validated
   Sequence Number value received on this SA.  Packets that contain
   sequence numbers lower than the "left" edge of the window are
   rejected.  Packets falling within the window are checked against a
   list of received packets within the window.

   If the ESN option is selected for an SA, only the low-order 32 bits
   of the sequence number are explicitly transmitted, but the receiver
   employs the full sequence number computed using the high-order 32
   bits for the indicated SA (from his local counter) when checking the
   received Sequence Number against the receive window.  In constructing
   the full sequence number, if the low-order 32 bits carried in the



Kent                        Standards Track                    [Page 19]


RFC 4302                IP Authentication Header           December 2005


   packet are lower in value than the low-order 32 bits of the
   receiver's sequence number counter, the receiver assumes that the
   high-order 32 bits have been incremented, moving to a new sequence
   number subspace.  (This algorithm accommodates gaps in reception for
   a single SA as large as 2**32-1 packets.  If a larger gap occurs,
   additional, heuristic checks for re-synchronization of the receiver's
   sequence number counter MAY be employed, as described in Appendix B.)

   If the received packet falls within the window and is not a
   duplicate, or if the packet is to the right of the window, then the
   receiver proceeds to ICV verification.  If the ICV validation fails,
   the receiver MUST discard the received IP datagram as invalid.  This
   is an auditable event.  The audit log entry for this event SHOULD
   include the SPI value, date/time, Source Address, Destination
   Address, the Sequence Number, and (in IPv6) the Flow ID.  The receive
   window is updated only if the ICV verification succeeds.

   A MINIMUM window size of 32 packets MUST be supported, but a window
   size of 64 is preferred and SHOULD be employed as the default.
   Another window size (larger than the MINIMUM) MAY be chosen by the
   receiver.  (The receiver does NOT notify the sender of the window
   size.)  The receive window size should be increased for higher-speed
   environments, irrespective of assurance issues.  Values for minimum
   and recommended receive window sizes for very high-speed (e.g.,
   multi-gigabit/second) devices are not specified by this standard.

3.4.4.  Integrity Check Value Verification

   The receiver computes the ICV over the appropriate fields of the
   packet, using the specified integrity algorithm, and verifies that it
   is the same as the ICV included in the ICV field of the packet.
   Details of the computation are provided below.

   If the computed and received ICVs match, then the datagram is valid,
   and it is accepted.  If the test fails, then the receiver MUST
   discard the received IP datagram as invalid.  This is an auditable
   event.  The audit log entry SHOULD include the SPI value, date/time
   received, Source Address, Destination Address, and (in IPv6) the Flow
   ID.

   Implementation Note:

      Implementations can use any set of steps that results in the same
      result as the following set of steps.  Begin by saving the ICV
      value and replacing it (but not any ICV field padding) with zero.
      Zero all other fields that may have been modified during transit.
      (See Section 3.3.3.1, "Handling Mutable Fields", for a discussion
      of which fields are zeroed before performing the ICV calculation.)



Kent                        Standards Track                    [Page 20]


RFC 4302                IP Authentication Header           December 2005


      If the ESN option is elected for this SA, append the high-order 32
      bits of the ESN after the end of the packet.  Check the overall
      length of the packet (as described above), and if it requires
      implicit padding based on the requirements of the integrity
      algorithm, append zero-filled bytes to the end of the packet
      (after the ESN if present) as required.  Perform the ICV
      computation and compare the result with the saved value, using the
      comparison rules defined by the algorithm specification.  (For
      example, if a digital signature and one-way hash are used for the
      ICV computation, the matching process is more complex.)

4.  Auditing

   Not all systems that implement AH will implement auditing.  However,
   if AH is incorporated into a system that supports auditing, then the
   AH implementation MUST also support auditing and MUST allow a system
   administrator to enable or disable auditing for AH.  For the most
   part, the granularity of auditing is a local matter.  However,
   several auditable events are identified in this specification, and
   for each of these events a minimum set of information that SHOULD be
   included in an audit log is defined.  Additional information also MAY
   be included in the audit log for each of these events, and additional
   events, not explicitly called out in this specification, also MAY
   result in audit log entries.  There is no requirement for the
   receiver to transmit any message to the purported sender in response
   to the detection of an auditable event, because of the potential to
   induce denial of service via such action.

5.  Conformance Requirements

   Implementations that claim conformance or compliance with this
   specification MUST fully implement the AH syntax and processing
   described here for unicast traffic, and MUST comply with all
   requirements of the Security Architecture document [Ken-Arch].
   Additionally, if an implementation claims to support multicast
   traffic, it MUST comply with the additional requirements specified
   for support of such traffic.  If the key used to compute an ICV is
   manually distributed, correct provision of the anti-replay service
   would require correct maintenance of the counter state at the sender,
   until the key is replaced, and there likely would be no automated
   recovery provision if counter overflow were imminent.  Thus, a
   compliant implementation SHOULD NOT provide this service in
   conjunction with SAs that are manually keyed.

   The mandatory-to-implement algorithms for use with AH are described
   in a separate RFC [Eas04], to facilitate updating the algorithm
   requirements independently from the protocol per se.  Additional
   algorithms, beyond those mandated for AH, MAY be supported.



Kent                        Standards Track                    [Page 21]


RFC 4302                IP Authentication Header           December 2005


6.  Security Considerations

   Security is central to the design of this protocol, and these
   security considerations permeate the specification.  Additional
   security-relevant aspects of using the IPsec protocol are discussed
   in the Security Architecture document.

7.  Differences from RFC 2402

   This document differs from RFC 2402 [RFC2402] in the following ways.

        o SPI -- modified to specify a uniform algorithm for SAD lookup
          for unicast and multicast SAs, covering a wider range of
          multicast technologies.  For unicast, the SPI may be used
          alone to select an SA, or may be combined with the protocol,
          at the option of the receiver.  For multicast SAs, the SPI is
          combined with the destination address, and optionally the
          source address, to select an SA.
        o Extended Sequence Number -- added a new option for a 64-bit
          sequence number for very high-speed communications.  Clarified
          sender and receiver processing requirements for multicast SAs
          and multi-sender SAs.
        o Moved references to mandatory algorithms to a separate
          document [Eas04].

8.  Acknowledgements

   The author would like to acknowledge the contributions of Ran
   Atkinson, who played a critical role in initial IPsec activities, and
   who authored the first series of IPsec standards: RFCs 1825-1827.
   Karen Seo deserves special thanks for providing help in the editing
   of this and the previous version of this specification.  The author
   also would like to thank the members of the IPsec and MSEC working
   groups who have contributed to the development of this protocol
   specification.

9.  References

9.1.  Normative References

   [Bra97]    Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Level", BCP 14, RFC 2119, March 1997.

   [DH98]     Deering, S. and R.  Hinden, "Internet Protocol, Version 6
              (IPv6) Specification", RFC 2460, December 1998.






Kent                        Standards Track                    [Page 22]


RFC 4302                IP Authentication Header           December 2005


   [Eas04]    3rd Eastlake, D., "Cryptographic Algorithm Implementation
              Requirements for Encapsulating Security Payload (ESP) and
              Authentication Header (AH)", RFC 4305, December 2005.

   [Ken-Arch] Kent, S. and K. Seo, "Security Architecture for the
              Internet Protocol", RFC 4301, December 2005.

   [RFC791]   Postel, J., "Internet Protocol", STD 5, RFC 791, September
              1981.

   [RFC1108]  Kent, S., "U.S. Department of Defense Security Options for
              the Internet Protocol", RFC 1108, November 1991.

9.2.  Informative References

   [AES]      Advanced Encryption Standard (AES), Federal Information
              Processing Standard 197, National Institutes of Standards
              and Technology, November 26, 2001.

   [HC03]     Holbrook, H. and B. Cain, "Source Specific Multicast for
              IP", Work in Progress, November 3, 2002.

   [IKEv2]    Kaufman, C., Ed., "Internet Key Exchange (IKEv2)
              Protocol", RFC 4306, December 2005.

   [Ken-ESP]  Kent, S., "IP Encapsulating Security Payload (ESP)", RFC
              4303, December 2005.

   [NBBB98]   Nichols, K., Blake, S., Baker, F., and D. Black,
              "Definition of the Differentiated Services Field (DS
              Field) in the IPv4 and IPv6 Headers", RFC 2474, December
              1998.

   [RFB01]    Ramakrishnan, K., Floyd, S., and D. Black, "The Addition
              of Explicit Congestion Notification (ECN) to IP", RFC
              3168, September 2001.

   [RFC1063]  Mogul, J., Kent, C., Partridge, C., and K. McCloghrie, "IP
              MTU discovery options", RFC 1063, July 1988.

   [RFC1122]  Braden, R., "Requirements for Internet Hosts -
              Communication Layers", STD 3, RFC 1122, October 1989.

   [RFC1191]  Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191,
              November 1990.

   [RFC1385]  Wang, Z., "EIP: The Extended Internet Protocol", RFC 1385,
              November 1992.



Kent                        Standards Track                    [Page 23]


RFC 4302                IP Authentication Header           December 2005


   [RFC1393]  Malkin, G., "Traceroute Using an IP Option", RFC 1393,
              January 1993.

   [RFC1770]  Graff, C., "IPv4 Option for Sender Directed Multi-
              Destination Delivery", RFC 1770, March 1995.

   [RFC2113]  Katz, D., "IP Router Alert Option", RFC 2113, February
              1997.

   [RFC2402]  Kent, S. and R. Atkinson, "IP Authentication Header", RFC
              2402, November 1998.

   [RFC3547]  Baugher, M., Weis, B., Hardjono, T., and H. Harney, "The
              Group Domain of Interpretation", RFC 3547, July 2003.

   [RFC3740]  Hardjono, T. and B. Weis, "The Multicast Group Security
              Architecture", RFC 3740, March 2004.


































Kent                        Standards Track                    [Page 24]


RFC 4302                IP Authentication Header           December 2005


Appendix A: Mutability of IP Options/Extension Headers

A1.  IPv4 Options

   This table shows how the IPv4 options are classified with regard to
   "mutability".  Where two references are provided, the second one
   supercedes the first.  This table is based in part on information
   provided in RFC 1700, "ASSIGNED NUMBERS", (October 1994).

               Opt.
    Copy Class  #   Name                       Reference
    ---- ----- ---  -------------------------  --------
    IMMUTABLE -- included in ICV calculation
      0   0     0   End of Options List        [RFC791]
      0   0     1   No Operation               [RFC791]
      1   0     2   Security                   [RFC1108] (historic but
                                               in use)
      1   0     5   Extended Security          [RFC1108] (historic but
                                               in use)
      1   0     6   Commercial Security
      1   0    20   Router Alert               [RFC2113]
      1   0    21   Sender Directed Multi-     [RFC1770]
                    Destination Delivery
    MUTABLE -- zeroed
      1   0      3  Loose Source Route         [RFC791]
      0   2      4  Time Stamp                 [RFC791]
      0   0      7  Record Route               [RFC791]
      1   0      9  Strict Source Route        [RFC791]
      0   2     18  Traceroute                 [RFC1393]

    EXPERIMENTAL, SUPERCEDED -- zeroed
      1   0      8  Stream ID                  [RFC791, RFC1122 (Host
                                               Req)]
      0   0     11  MTU Probe                  [RFC1063, RFC1191 (PMTU)]
      0   0     12  MTU Reply                  [RFC1063, RFC1191 (PMTU)]
      1   0     17  Extended Internet Protocol [RFC1385, DH98 (IPv6)]
      0   0     10  Experimental Measurement
      1   2     13  Experimental Flow Control
      1   0     14  Experimental Access Ctl
      0   0     15  ???
      1   0     16  IMI Traffic Descriptor
      1   0     19  Address Extension

   NOTE: Use of the Router Alert option is potentially incompatible with
   use of IPsec.  Although the option is immutable, its use implies that
   each router along a packet's path will "process" the packet and
   consequently might change the packet.  This would happen on a hop-
   by-hop basis as the packet goes from router to router.  Prior to



Kent                        Standards Track                    [Page 25]


RFC 4302                IP Authentication Header           December 2005


   being processed by the application to which the option contents are
   directed (e.g., Resource Reservation Protocol (RSVP)/Internet Group
   Management Protocol (IGMP)), the packet should encounter AH
   processing.  However, AH processing would require that each router
   along the path is a member of a multicast-SA defined by the SPI.
   This might pose problems for packets that are not strictly source
   routed, and it requires multicast support techniques not currently
   available.

   NOTE: Addition or removal of security labels (e.g., Basic Security
   Option (BSO), Extended Security Option (ESO), or Commercial Internet
   Protocol Security Option (CIPSO)) by systems along a packet's path
   conflicts with the classification of these IP options as immutable
   and is incompatible with the use of IPsec.

   NOTE: End of Options List options SHOULD be repeated as necessary to
   ensure that the IP header ends on a 4-byte boundary in order to
   ensure that there are no unspecified bytes that could be used for a
   covert channel.

A2.  IPv6 Extension Headers

   This table shows how the IPv6 extension headers are classified with
   regard to "mutability".

       Option/Extension Name                  Reference
       -----------------------------------    ---------
       MUTABLE BUT PREDICTABLE -- included in ICV calculation
         Routing (Type 0)                    [DH98]

       BIT INDICATES IF OPTION IS MUTABLE (CHANGES UNPREDICTABLY DURING
       TRANSIT)
         Hop-by-Hop options                  [DH98]
         Destination options                 [DH98]

       NOT APPLICABLE
         Fragmentation                       [DH98]

       Options -- IPv6 options in the Hop-by-Hop and Destination
   Extension Headers contain a bit that indicates whether the option
   might change (unpredictably) during transit.  For any option for
   which contents may change en route, the entire "Option Data" field
   must be treated as zero-valued octets when computing or verifying
   the ICV.  The Option Type and Opt Data Len are included in the ICV
   calculation.  All options for which the bit indicates immutability
   are included in the ICV calculation.  See the IPv6 specification
   [DH98] for more information.




Kent                        Standards Track                    [Page 26]


RFC 4302                IP Authentication Header           December 2005


       Routing (Type 0) -- The IPv6 Routing Header "Type 0" will
   rearrange the address fields within the packet during transit from
   source to destination.  However, the contents of the packet as it
   will appear at the receiver are known to the sender and to all
   intermediate hops.  Hence, the IPv6 Routing Header "Type 0" is
   included in the Integrity Check Value calculation as mutable but
   predictable.  The sender must order the field so that it appears as
   it will at the receiver, prior to performing the ICV computation.

       Fragmentation -- Fragmentation occurs after outbound IPsec
   processing (Section 3.3) and reassembly occurs before inbound IPsec
   processing (Section 3.4).  So the Fragmentation Extension Header, if
   it exists, is not seen by IPsec.

   Note that on the receive side, the IP implementation could leave a
   Fragmentation Extension Header in place when it does re-assembly.  If
   this happens, then when AH receives the packet, before doing ICV
   processing, AH MUST "remove" (or skip over) this header and change
   the previous header's "Next Header" field to be the "Next Header"
   field in the Fragmentation Extension Header.

   Note that on the send side, the IP implementation could give the
   IPsec code a packet with a Fragmentation Extension Header with Offset
   of 0 (first fragment) and a More Fragments Flag of 0 (last fragment).
   If this happens, then before doing ICV processing, AH MUST first
   "remove" (or skip over) this header and change the previous header's
   "Next Header" field to be the "Next Header" field in the
   Fragmentation Extension Header.























Kent                        Standards Track                    [Page 27]


RFC 4302                IP Authentication Header           December 2005


Appendix B: Extended (64-bit) Sequence Numbers

B1.  Overview

   This appendix describes an Extended Sequence Number (ESN) scheme for
   use with IPsec (ESP and AH) that employs a 64-bit sequence number,
   but in which only the low-order 32 bits are transmitted as part of
   each packet.  It covers both the window scheme used to detect
   replayed packets and the determination of the high-order bits of the
   sequence number that are used both for replay rejection and for
   computation of the ICV.  It also discusses a mechanism for handling
   loss of synchronization relative to the (not transmitted) high-order
   bits.

B2.  Anti-Replay Window

   The receiver will maintain an anti-replay window of size W.  This
   window will limit how far out of order a packet can be, relative to
   the packet with the highest sequence number that has been
   authenticated so far.  (No requirement is established for minimum or
   recommended sizes for this window, beyond the 32- and 64-packet
   values already established for 32-bit sequence number windows.
   However, it is suggested that an implementer scale these values
   consistent with the interface speed supported by an implementation
   that makes use of the ESN option.  Also, the algorithm described
   below assumes that the window is no greater than 2^31 packets in
   width.)  All 2^32 sequence numbers associated with any fixed value
   for the high-order 32 bits (Seqh) will hereafter be called a sequence
   number subspace.  The following table lists pertinent variables and
   their definitions.

        Var.   Size
        Name  (bits)             Meaning
        ----  ------   ---------------------------
        W       32     Size of window
        T       64     Highest sequence number authenticated so far,
                       upper bound of window
          Tl      32     Lower 32 bits of T
          Th      32     Upper 32 bits of T
        B       64     Lower bound of window
          Bl      32     Lower 32 bits of B
          Bh      32     Upper 32 bits of B
        Seq     64     Sequence Number of received packet
          Seql    32     Lower 32 bits of Seq
          Seqh    32     Upper 32 bits of Seq






Kent                        Standards Track                    [Page 28]


RFC 4302                IP Authentication Header           December 2005


   When performing the anti-replay check, or when determining which
   high-order bits to use to authenticate an incoming packet, there are
   two cases:

     + Case A: Tl >= (W - 1). In this case, the window is within one
                              sequence number subspace.  (See Figure 1)
     + Case B: Tl < (W - 1).  In this case, the window spans two
                              sequence number subspaces.  (See Figure 2)

   In the figures below, the bottom line ("----") shows two consecutive
   sequence number subspaces, with zeros indicating the beginning of
   each subspace.  The two shorter lines above it show the higher-order
   bits that apply.  The "====" represents the window.  The "****"
   represents future sequence numbers, i.e., those beyond the current
   highest sequence number authenticated (ThTl).

        Th+1                         *********

        Th               =======*****

              --0--------+-----+-----0--------+-----------0--
                         Bl    Tl            Bl
                                        (Bl+2^32) mod 2^32

                            Figure 1 -- Case A


        Th                           ====**************

        Th-1                      ===

              --0-----------------+--0--+--------------+--0--
                                  Bl    Tl            Bl
                                                 (Bl+2^32) mod 2^32

                            Figure 2 -- Case B

B2.1.  Managing and Using the Anti-Replay Window

   The anti-replay window can be thought of as a string of bits where
   `W' defines the length of the string.  W = T - B + 1 and cannot
   exceed 2^32 - 1 in value.  The bottom-most bit corresponds to B and
   the top-most bit corresponds to T, and each sequence number from Bl
   through Tl is represented by a corresponding bit.  The value of the
   bit indicates whether or not a packet with that sequence number has
   been received and authenticated, so that replays can be detected and
   rejected.




Kent                        Standards Track                    [Page 29]


RFC 4302                IP Authentication Header           December 2005


   When a packet with a 64-bit sequence number (Seq) greater than T is
   received and validated,

      + B is increased by (Seq - T)
      + (Seq - T) bits are dropped from the low end of the window
      + (Seq - T) bits are added to the high end of the window
      + The top bit is set to indicate that a packet with that sequence
        number has been received and authenticated
      + The new bits between T and the top bit are set to indicate that
        no packets with those sequence numbers have been received yet.
      + T is set to the new sequence number

   In checking for replayed packets,

      + Under Case A: If Seql >= Bl (where Bl = Tl - W + 1) AND
        Seql <= Tl, then check the corresponding bit in the window to
        see if this Seql has already been seen.  If yes, reject the
        packet.  If no, perform integrity check (see Appendix B2.2
        below for determination of SeqH).

      + Under Case B: If Seql >= Bl (where Bl = Tl - W + 1) OR
        Seql <= Tl, then check the corresponding bit in the window to
        see if this Seql has already been seen.  If yes, reject the
        packet.  If no, perform integrity check (see Appendix B2.2
        below for determination of Seqh).

B2.2.  Determining the Higher-Order Bits (Seqh) of the Sequence Number

   Because only `Seql' will be transmitted with the packet, the receiver
   must deduce and track the sequence number subspace into which each
   packet falls, i.e., determine the value of Seqh.  The following
   equations define how to select Seqh under "normal" conditions; see
   Appendix B3 for a discussion of how to recover from extreme packet
   loss.

      + Under Case A (Figure 1):
        If Seql >= Bl (where Bl = Tl - W + 1), then Seqh = Th
        If Seql <  Bl (where Bl = Tl - W + 1), then Seqh = Th + 1

      + Under Case B (Figure 2):
        If Seql >= Bl (where Bl = Tl - W + 1), then Seqh = Th - 1
        If Seql <  Bl (where Bl = Tl - W + 1), then Seqh = Th









Kent                        Standards Track                    [Page 30]


RFC 4302                IP Authentication Header           December 2005


B2.3.  Pseudo-Code Example

   The following pseudo-code illustrates the above algorithms for anti-
   replay and integrity checks.  The values for `Seql', `Tl', `Th', and
   `W' are 32-bit unsigned integers.  Arithmetic is mod 2^32.

        If (Tl >= W - 1)                            Case A
            If (Seql >= Tl - W + 1)
                Seqh = Th
                If (Seql <= Tl)
                    If (pass replay check)
                        If (pass integrity check)
                            Set bit corresponding to Seql
                            Pass the packet on
                        Else reject packet
                    Else reject packet
                Else
                    If (pass integrity check)
                        Tl = Seql (shift bits)
                        Set bit corresponding to Seql
                        Pass the packet on
                    Else reject packet
            Else
                Seqh = Th + 1
                If (pass integrity check)
                    Tl = Seql (shift bits)
                    Th = Th + 1
                    Set bit corresponding to Seql
                    Pass the packet on
                Else reject packet
        Else                                    Case B
            If (Seql >= Tl - W + 1)
                Seqh = Th - 1
                If (pass replay check)
                    If (pass integrity check)
                        Set the bit corresponding to Seql
                        Pass packet on
                    Else reject packet
                Else reject packet
            Else
                Seqh = Th
                If (Seql <= Tl)
                    If (pass replay check)
                        If (pass integrity check)
                            Set the bit corresponding to Seql
                            Pass packet on
                        Else reject packet
                    Else reject packet



Kent                        Standards Track                    [Page 31]


RFC 4302                IP Authentication Header           December 2005


                Else
                    If (pass integrity check)
                        Tl = Seql (shift bits)
                        Set the bit corresponding to Seql
                        Pass packet on
                    Else reject packet

B3.  Handling Loss of Synchronization due to Significant Packet Loss

   If there is an undetected packet loss of 2^32 or more consecutive
   packets on a single SA, then the transmitter and receiver will lose
   synchronization of the high-order bits, i.e., the equations in
   Appendix B2.2. will fail to yield the correct value.  Unless this
   problem is detected and addressed, subsequent packets on this SA will
   fail authentication checks and be discarded.  The following procedure
   SHOULD be implemented by any IPsec (ESP or AH) implementation that
   supports the ESN option.

   Note that this sort of extended traffic loss seems unlikely to occur
   if any significant fraction of the traffic on the SA in question is
   TCP, because the source would fail to receive ACKs and would stop
   sending long before 2^32 packets had been lost.  Also, for any bi-
   directional application, even ones operating above UDP, such an
   extended outage would likely result in triggering some form of
   timeout.  However, a unidirectional application, operating over UDP,
   might lack feedback that would cause automatic detection of a loss of
   this magnitude, hence the motivation to develop a recovery method for
   this case.

   The solution we've chosen was selected to:

     + minimize the impact on normal traffic processing.

     + avoid creating an opportunity for a new denial of service attack
       such as might occur by allowing an attacker to force diversion of
       resources to a re-synchronization process.
     + limit the recovery mechanism to the receiver because anti-replay
       is a service only for the receiver, and the transmitter generally
       is not aware of whether the receiver is using sequence numbers in
       support of this optional service.  It is preferable for recovery
       mechanisms to be local to the receiver.  This also allows for
       backward compatibility.









Kent                        Standards Track                    [Page 32]


RFC 4302                IP Authentication Header           December 2005


B3.1.  Triggering Re-synchronization

   For each SA, the receiver records the number of consecutive packets
   that fail authentication.  This count is used to trigger the re-
   synchronization process, which should be performed in the background
   or using a separate processor.  Receipt of a valid packet on the SA
   resets the counter to zero.  The value used to trigger the re-
   synchronization process is a local parameter.  There is no
   requirement to support distinct trigger values for different SAs,
   although an implementer may choose to do so.

B3.2.  Re-synchronization Process

   When the above trigger point is reached, a "bad" packet is selected
   for which authentication is retried using successively larger values
   for the upper half of the sequence number (Seqh).  These values are
   generated by incrementing by one for each retry.  The number of
   retries should be limited, in case this is a packet from the "past"
   or a bogus packet.  The limit value is a local parameter.  (Because
   the Seqh value is implicitly placed after the AH (or ESP) payload, it
   may be possible to optimize this procedure by executing the integrity
   algorithm over the packet up to the endpoint of the payload, then
   compute different candidate ICVs by varying the value of Seqh.)
   Successful authentication of a packet via this procedure resets the
   consecutive failure count and sets the value of T to that of the
   received packet.

   This solution requires support only on the part of the receiver,
   thereby allowing for backward compatibility.  Also, because re-
   synchronization efforts would either occur in the background or
   utilize an additional processor, this solution does not impact
   traffic processing and a denial of service attack cannot divert
   resources away from traffic processing.

Author's Address

   Stephen Kent
   BBN Technologies
   10 Moulton Street
   Cambridge, MA  02138
   USA

   Phone: +1 (617) 873-3988
   EMail: [email protected]







Kent                        Standards Track                    [Page 33]


RFC 4302                IP Authentication Header           December 2005


Full Copyright Statement

   Copyright (C) The Internet Society (2005).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at ietf-
   [email protected].

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.







Kent                        Standards Track                    [Page 34]