Security Association (SA) Components

Questions and Answers

What is the purpose of the SPI (Security Parameter Index) in IPsec?

To encrypt the payload data

To authenticate the source of the packet

To identify a particular SA for any connected device (correct)

To fragment the IP packet

What is the function of the SPD (Security Policy Database)?

To authenticate the packet

To relate IP traffic to specific SAs (correct)

To decrypt the payload data

To encrypt the IP header

What is the purpose of the ESP (Encapsulating Security Payload) protocol?

To fragment the IP packet

To encrypt the payload data (correct)

To authenticate the packet

To decrypt the IP header

What is the advantage of using ISAKMP/Oakley protocol?

It provides automated key management

What is the function of the ICV (Integrity Check Value) field in ESP?

To provide integrity

What is the purpose of the AH (Authentication Header) protocol?

To authenticate the packet

What is the difference between transport and tunnel mode ESP?

Transport mode encrypts the payload, while tunnel mode encrypts the entire packet

What is the purpose of the IKE (Internet Key Exchange) protocol?

To exchange and manage cryptographic keys

What is the function of the Diffie-Hellman algorithm in IKE?

To exchange cryptographic keys

What is the feature of IKE key determination that prevents DoS attacks?

Use of cookies to thwart DoS attacks

What is the main purpose of Virtual Private Networks?

To provide a cost-effective, secure, and highly scalable means of connecting remote sites

What is the term for establishing a virtual connection between two endpoints?

Tunneling

What is the purpose of access control in VPNs?

To deny unauthorized user access to the corporate network

What is the method of verifying sender identity to prevent spoofing or other attacks?

Data origin authentication

What is the purpose of the Diffie-Hellman key exchange?

To negotiate a group and specify global parameters

What is the purpose of nonces in the Diffie-Hellman key exchange?

To ensure against replay attacks

What is the purpose of IPsec in VPNs?

To ensure data confidentiality and prevent eavesdropping

What is the term for the protocol that enables the exchange of Diffie-Hellman public key values?

ISAKMP

What is a critical aspect of IPsec security?

Proper key management

What does IPsec employ for authentication?

Digital signature authentication

What is the primary purpose of IPsec in routing architecture?

To assure authorized routing updates

What is the collection of documents describing the key management schemes for use with IPsec?

Internet Key Exchange (IKE)

What is the main specification for Internet Key Exchange (IKE)?

RFC 5996

What is the purpose of IP Encapsulating Security Payload (ESP)?

To encapsulate and encrypt data

What is the primary function of IPsec in internetworking?

To play a vital role in the routing architecture

What is the category of documents that define and describe cryptographic algorithms for encryption and message authentication?

Cryptographic Algorithms

What is the IPsec service that provides for the integrity of a single connectionless data block?

Connectionless integrity

What is the primary purpose of IPsec in providing security services?

To enable a system to select required security protocols

Study Notes

Security Associations (SAs)

• Defined by a triple: Security Parameter Index (SPI), IP Destination Address, and Security Protocol Identifier
• SPI: 32-bit value that uniquely identifies a particular SA for a connected device
• IP Destination Address: address of the device for which the SA is established
• Security Protocol Identifier: specifies whether the SA is for AH or ESP

Security Policy Database (SPD)

• Relates IP traffic to specific SAs
• Contains entries, each defining a subset of IP traffic and pointing to an SA for that traffic
• In complex environments, multiple entries may relate to a single SA or multiple SAs associated with a single SPD entry
• Each SPD entry is defined by a set of IP and upper-layer protocol field values called selectors

Selectors

• Determine an SPD entry
• Include:
  • Local and remote IP addresses
  • Next layer protocol (e.g., TCP or UDP)
  • Port values (or wildcard/mask)

Encapsulating Security Payload (ESP)

• Used to encrypt Payload Data, Padding, Pad Length, and Next Header fields
• May include an optional Integrity Check Value (ICV) field for integrity service
• ICV is computed after encryption to facilitate reducing the impact of DoS attacks

Combining Security Associations

• An individual SA can implement either AH or ESP, but not both
• Security association bundles: sequences of SAs that provide a desired set of IPsec services
  • Can be combined using transport adjacency (applying multiple security protocols to the same IP packet) or iterated tunneling (applying multiple layers of security protocols through IP tunneling)

ESP with Authentication Option

• Applies ESP to the data to be protected, then appends the authentication data field
• Can be used in transport mode (authentication applies to IP payload) or tunnel mode (authentication applies to entire IP packet)

Internet Key Exchange (IKE)

• Default automated key management protocol of IPsec
• Consists of Oakley Key Determination Protocol (key exchange protocol based on Diffie-Hellman algorithm) and Internet Security Association and Key Management Protocol (ISAKMP) for key management and negotiation of security attributes

IPsec Services

• Provides security services at the IP layer, enabling systems to:
  • Select required security protocols
  • Determine algorithms for services
  • Put in place cryptographic keys required for services

Description

This quiz covers the components of a Security Association (SA) in computer networks, including SPI, IP Destination Address, and Security Protocol Identifier.