Why not authenticate the whole packet in ESP mode?

Started by blueberry123, September 03, 2022, 10:42:22 PM

Previous topic - Next topic

blueberry123



In AH:

a) Transport Mode:
Entire packet Authenticated

b) Tunnel Mode:
Entire packet authenticated

https://imgur.com/a/yfnyRxn


In ESP:

1) Transport Mode:
Only ESPH-ESPT  authenticated
Original IP Header not authenticated.

2) Tunnel Mode:
Only ESPH-ESPT  authenticated
New IP Header not authenticated.

https://imgur.com/a/TawV5KA


Why is this difference found in them? Is there a reason behind them? Why not authenticate all of the packet? What problem would it create?

And why is there no such thing called AH auth but there's ESP Auth? Shouldn't AH Auth data also be in the figure shown above?

Also, Is there a reason why the modes are named "Tunnel" And "Transport"?

Source:https://networklessons.com/cisco/ccie-routing-switching/ipsec-internet-protocol-security


deanwebb

Found a good summary of the differences: https://www.ibm.com/docs/en/zos/2.3.0?topic=ipsec-ah-esp-protocols

AH auth would be redundant: Authentication Header auth. Rather, AH is auth, nothing more. ESP can provide richer functions, but you may want to use AH and ESP together to have the functions ESP brings enclosed in the full auth we get with AH.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.