In IPsec ESP transport mode , the authentication process protects most of the ESP packet except the outer IP header and the authentication data field itself. Specifically, the authentication calculation covers the ESP header, the encrypted payload (such as the TCP header and application data), and the ESP trailer . The IP header is not included , because it may change during packet transmission, and the ESP authentication data field is also excluded because it stores the result of the authentication calculation.
Looking at the packet structure in the figure, the order is: IP Header → ESP Header → TCP Header → Data → ESP Tail → ESP Auth Data . The correct authentication range therefore begins at the ESP header and ends at the ESP tail , but it does not include the IP header or the ESP authentication data.
In the diagram, option 3 represents the range starting from the ESP header and ending at the ESP tail , which matches the actual authentication coverage of ESP in transport mode. Therefore, the correct answer is 3 .
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit