Authentication Header (AH)—AH provides data authentication and antireplay services.
AH is protocol number 51 assigned by the IANA. The primary function of AH is origin
authentication. AH does not provide any data encryption. It provides only origin
authentication or verifies that the data is from the sender. This functionality also prevents
session hijacking. AH does not work with Network Address Translation (NAT) because
the address translation occurs prior to the IPSec SA being established. NAT will change
the IP address of the original IP header, creating a mismatch with the AH and causing
the hash to fail. Figure 11-4 shows how AH is inserted into the IPv4 packet.