Why does IPSec in transport mode not guarantee integrity? Wikipedia says: > Unlike Authentication Header (AH), ESP in transport mode does not provide integrity and authentication for the entire IP packet. I don't un...--prophetes.ai

Why does IPSec in transport mode not guarantee integrity? Wikipedia says: > Unlike Authentication Header (AH), ESP in transport mode does not provide integrity and authentication for the entire IP packet. I don't understand why this would be true. What is the `Integrity Check Value` of ESP used for in transport mode if it isn't used for guaranteeing integrity?

AH adds a cryptographic signature to each packet, which ensures nothing has modified it and it came from the correct source. AH is, obviously, not compatible with NAT.

ESP's ICV is just a checksum to ensure the packet hasn't been damaged. It does not ensure the packet has not been altered, or authenticate who sent it.