IP Security Overview

Questions and Answers

What type of Security Association is used as the inner SA in a transport adjacency configuration?

ISAKMP SA

AH SA

ESP SA (correct)

IKE SA

In case 1, security is provided only between gateways and does not involve end systems implementing IPsec.

False

What is the primary disadvantage of the Diffie–Hellman key exchange algorithm?

It is subject to a man-in-the-middle attack.

In automated key management, IKE key determination relies on the __________ key exchange algorithm.

Diffie–Hellman

Match the following cases of security associations with their descriptions:

Case 1 = Security is provided between end systems implementing IPsec Case 2 = Security provided only between gateways Case 3 = End-to-end security with gateways engaged Case 4 = Remote host accessing a server behind a firewall

What are the three functional areas encompassed by IP-level security?

Authentication, Confidentiality, Key Management

IPsec processing is transparent to workstations and servers on a local area network.

True

What does the encapsulating security payload (ESP) provide in IP Security?

Confidentiality and integrity for the packet.

The source of the packet is verified through __________ in IP-level security.

authentication

Match the following components of IPsec with their functions:

Authentication = Ensures source integrity Confidentiality = Protects data from unauthorized access Tunneling = Encapsulates packets for secure transmission Key Management = Handles cryptographic keys

What role does IPsec play in routing applications?

Provides secure communication for routing architecture

IPsec processing can only be utilized with IPv6 networks.

False

Which field indicates the next higher level protocol in the TCP/IP stack?

Protocol Field

The Integrity Check Value (ICV) field is protected by encryption.

False

What integer value represents the ESP header in IPSec with IPv4?

50

The _______ field is designed to thwart replay attacks.

Sequence Number

Match the following ESP services with their descriptions:

Confidentiality = Ensures that data is kept secret Data origin authentication = Verifies the source of the data Connectionless integrity = Checks the integrity of the received data Anti-replay service = Protects against replay attacks

Which of the following is a purpose of the padding field in ESP?

To expand plaintext to a required length

IPv6 can use an arbitrary number of headers for a packet.

True

What is the role of the Initialization Vector (IV) in ESP?

Usually not encrypted

What is the default size of the window W for out-of-order delivery?

64

The _______ field must be initialized to 0 when a new Security Association (SA) is established.

sequence number

Which protocol is represented by the integer 51?

AH

The sender is allowed to cycle the sequence number back to zero once the limit is reached.

False

What does ESP stand for in the context of transport mode?

Encapsulating Security Payload

The __________ mode is used to counter traffic analysis by encrypting the packet and prefixing it with an ESP header.

Tunnel

Match the following to their correct description:

ESP = Encrypts and authenticates data packets Transport Mode = Secures connections between hosts Tunnel Mode = Encapsulates packets with a new IP header Sequence Number = Increments with each packet sent

Which of the following protocols is used primarily for authentication in IPsec?

Authentication Header (AH)

What is a key benefit of using tunnel mode in network security?

Prevention of traffic analysis

The Security Policy Database (SPD) defines the parameters associated with each Security Association (SA).

False

Each intermediate router needs to examine and process the ciphertext in transport mode ESP.

False

What term refers to a sequence of security associations for processing traffic?

Security association bundle

What are the two modes of use supported by both AH and ESP protocols?

Transport mode and tunnel mode

A Security Association (SA) is uniquely identified by three parameters: Security Parameters Index (SPI), IP Destination Address, and _____

Security Protocol Identifier

When the sequence number reaches (2^32 – 1), the sender must terminate the current SA and negotiate a new __________.

SA with a new key

In which mode does the block of data consisting of the ESP trailer plus the entire transport-layer segment get encrypted?

Transport Mode

Match the following IPsec components with their descriptions:

AH = Provides authentication services for IP packets ESP = Provides encryption services for IP packets SAD = Holds parameters for each Security Association SPD = Defines traffic subsets and maps them to Security Associations

What is the primary purpose of the Security Association Database (SAD)?

To hold parameters for each Security Association

IPsec only provides authentication and does not support encryption.

False

What is the significance of the Anti-Replay Window in the Security Association Database (SAD)?

It prevents replay attacks by tracking and limiting the use of previously sent packets.

The Security Policy Database (SPD) uses _____ to filter outgoing traffic and map it to a particular Security Association.

selectors

Study Notes

IP Security Lecture Notes

• IP security protects network communication
• Application-specific security mechanisms exist, but IP-level security ensures secure networking for all applications.
• Authentication, confidentiality, and key management are core components of IP-level security.
• IP-level authentication ensures data packets are unaltered in transit and their origin is correct.
• IPsec security can be incorporated into networking devices like routers or firewalls, enabling secure communication between LANs.
• IPsec VPNs facilitate secure transmission between individual users and the internet.
• Security policies are determined by interactions between two databases: the security association database (SAD) and the security policy database (SPD).

Security Association (SA)

• An SA is a one-way logical connection between sender and receiver providing security services.
• Identified by three parameters: Security Parameters Index (SPI), IP Destination Address, and Security Protocol Identifier (AH or ESP)

SA Database (SAD)

• Stores parameters associated with each SA.
• Parameters include SPI, Sequence Number Counter, Sequence Counter Overflow, Anti-Replay Window, AH and ESP information, Lifetime, IPsec Protocol Mode, and Path MTU.

Security Policy Database (SPD)

• Contains entries defining subsets of IP traffic with associated SAs.
• SPD entries are determined by selectors including remote IP address, local IP address, next layer protocol, name, and local and remote ports.

Encapsulating Security Payload (ESP)

• ESP provides confidentiality by encrypting data payloads and optional authentication.
• Initialization Vector (IV) is typically not encrypted, but the Integrity Check Value (ICV) field is separate and is computed after encryption, protecting data integrity.
• Padding ensures the encrypted data meets expected size requirements.
• Essential for limited traffic flow confidentiality.

Authentication and Authentication Approaches

• Authentication using digital signatures ensures data authenticity by hashing parameters with private keys.
• Employing public-key encryption allows for secure transmission of parameters and IDs.
• Security association bundle (SAB) sequences of SAs process traffic for desired IPsec services.
• ESP with authentication option: The user applies ESP to data, then adds authentication data.
• Transport Adjacency bundles ESP with an AH SA. authentication covers IP addresses.
• Transport-Tunnel Bundle bundles a transport SA with an ESP tunnel SA. Security is applied before the encryption

Internet Key Exchange (IKE)

• IKE is a protocol that automates key management.
• Key management involves exchanging keys for secure communication between two applications (transmit and receive pairs for integrity and confidentiality).
• IKEv2 includes advanced features to prevent replay and clogging attacks.
• IKE key determination uses Diffie-Hellman as well as global parameters (prime number, primitive root)

Cryptographic Suites

• RFCs define suites of cryptographic algorithms and parameters to promote interoperability.
• VPN-A and VPN-B suites are commonly used for establishing Virtual Private Networks (VPNs).
• RFC 6379 expands on the cryptographic suite options, offering different protection levels based on algorithm strengths.

IKEv2 Exchanges & Messages

• IKEv2 uses message exchanges in pairs for initial communication (identifying algorithms, nonces, and Diffie-Hellman parameters).
• The result establishes an IKE SA.
• A second exchange authenticates parties to create an IPsec SA.
• IKE messages include a header and payloads, and the payloads are hierarchical with multiple protocols and transforms.

Assignment

• List features of IPsec algorithms from assigned slides, including:
• Describe the configuration of one of the 4 cases from slide 30 using Juniper IPsec VPN User guide.

Description

Explore the essential components and mechanisms of IP security. This quiz covers topics such as authentication, confidentiality, key management, and the workings of IPsec. Assess your understanding of how IP security protects network communication across various applications.