Which of the following statements pertaining to IPSec is NOT true?

A.
A security association has to be defined between two IPSec systems in order for bi-directional
communication to be established.

B.
Integrity and authentication for IP datagrams are provided by AH.

C.
ESP provides for integrity, authentication and encryption to IP datagrams.

D.
In transport mode, ESP only encrypts the data payload of each packet.

Explanation:
One security association (SA) is not enough to establish bi-directional communication. Each device will have at
least one security association (SA) for each secure connection it uses, so two security associations would be
required.
Incorrect Answers:
B: AH provides authentication and integrity for the IP datagrams.
C: ESP provides authentication, integrity, and encryption for the IP datagrams.
D: In IPSec transport mode the payload, but not the routing and header information, of the message is
protected.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 862