No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Security Protocol

Security Protocol

IPsec encapsulates or decapsulates IP packets using Authentication Header (AH) and Encapsulating Security Payload (ESP).

  • AH is mainly used to authenticate data source, verify data integrity, and prevent packet replay. It does not support encryption.

  • ESP is mainly used to encrypt data, authenticate data origin, verify data integrity, and prevent packet replay.

Although both the AH and ESP protocols provide data origin authentication and data integrity verification, ESP cannot replace AH. The difference between the two protocols lies in the check range. For details, see Encapsulation Mode.

Table 13-1 shows the comparison between AH and ESP.

Table 13-1 Comparison between AH and ESP

Security Feature



IP protocol ID



Data integrity verification

Supported (checking the whole IP packet)

Supported (not checking the IP header)

Data origin authentication



Data encryption

Not supported





IPSec NAT traversal

Not supported


Both protocols have advantages and disadvantages. AH does not provide the data encryption function, and the verification scope of ESP does not include IP headers. The security of ESP is lower than that of AH. Therefore, in scenarios with high security requirements, AH and ESP can be used together. When AH and ESP are used together, ESP is used prior to AH because of the following reason: AH authenticates the entire IP packet. The ESP header and tail change the length of the IP packet, and the filling fields of ESP also change the length of the IP packet. If AH is used prior to ESP, AH authentication fails.

Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12627

Downloads: 29

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next