Why not authenticate the whole packet in ESP mode?

shivajikobardanshivajikobardan Member Posts: 20 ■■□□□□□□□□
In AH:

a) Transport Mode:

Entire packet Authenticated

b) Tunnel Mode:

Entire packet authenticated


1) Transport Mode:

Only ESPH-ESPT  authenticated

Original IP Header not authenticated.

2) Tunnel Mode:

Only ESPH-ESPT  authenticated

New IP Header not authenticated.

Why is this difference found in them? Is there a reason behind them? Why not authenticate all of the packet? What problem would it create?

And why is there no such thing called AH auth but there's ESP Auth? Shouldn't AH Auth data also be in the figure shown above?

Also, Is there a reason why the modes are named "Tunnel" And "Transport"?



Sign In or Register to comment.