Why not authenticate the whole packet in ESP mode?

Started by blueberry123, September 03, 2022, 10:42:22 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

blueberry123

September 03, 2022, 10:42:22 PM


In AH:

a) Transport Mode:
Entire packet Authenticated

b) Tunnel Mode:
Entire packet authenticated

https://imgur.com/a/yfnyRxn


In ESP:

1) Transport Mode:
Only ESPH-ESPT  authenticated
Original IP Header not authenticated.

2) Tunnel Mode:
Only ESPH-ESPT  authenticated
New IP Header not authenticated.

https://imgur.com/a/TawV5KA


Why is this difference found in them? Is there a reason behind them? Why not authenticate all of the packet? What problem would it create?

And why is there no such thing called AH auth but there's ESP Auth? Shouldn't AH Auth data also be in the figure shown above?

Also, Is there a reason why the modes are named "Tunnel" And "Transport"?

Source:https://networklessons.com/cisco/ccie-routing-switching/ipsec-internet-protocol-security

deanwebb

#1
September 04, 2022, 02:30:54 PM
Found a good summary of the differences: https://www.ibm.com/docs/en/zos/2.3.0?topic=ipsec-ah-esp-protocols

AH auth would be redundant: Authentication Header auth. Rather, AH is auth, nothing more. ESP can provide richer functions, but you may want to use AH and ESP together to have the functions ESP brings enclosed in the full auth we get with AH.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.
Print
Go Up Pages1
User actions