Why not authenticate the whole packet in ESP mode?

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

In AH:


a) Transport Mode:

Entire packet Authenticated


b) Tunnel Mode:

Entire packet authenticated






In ESP:


1) Transport Mode:

Only ESPH-ESPT authenticated

Original IP Header not authenticated.


2) Tunnel Mode:

Only ESPH-ESPT authenticated

New IP Header not authenticated.







Why is this difference found in them? Is there a reason behind them? Why not authenticate all of the packet? What problem would it create?

And why is there no such thing called AH auth but there's ESP Auth? Shouldn't AH Auth data also be in the figure shown above?


Also, Is there a reason why the modes are named "Tunnel" And "Transport"?


Source:https://networklessons.com/cisco/ccie-routing-switching/ipsec-internet-protocol-security

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

https://www.twingate.com/blog/ipsec-tunnel-mode/

Tunnel protects the routing metadata and doesnt require a pre-existing session.