The following table compares the protections that are provided by AH and ESP.
Protocol
Packet Coverage
Protection
Against Attacks
AH
Protects packet from the IP header to the transport header
Provides strong integrity, data authentication:
Ensures that the receiver receives exactly what the sender sent
Is susceptible to replay attacks when an AH does not enable replay protection
Replay, cut-and-paste
ESP
Protects packet following the beginning of ESP in the datagram.
With encryption option, encrypts the IP datagram. Ensures confidentiality
Eavesdropping
With authentication option, provides the same protection as AH
With both options, provides strong integrity, data authentication, and confidentiality
Replay, cut-and-paste, eavesdropping