28 Questions
What is the purpose of the SPI (Security Parameter Index) in IPsec?
To identify a particular SA for any connected device
What is the function of the SPD (Security Policy Database)?
To relate IP traffic to specific SAs
What is the purpose of the ESP (Encapsulating Security Payload) protocol?
To encrypt the payload data
What is the advantage of using ISAKMP/Oakley protocol?
It provides automated key management
What is the function of the ICV (Integrity Check Value) field in ESP?
To provide integrity
What is the purpose of the AH (Authentication Header) protocol?
To authenticate the packet
What is the difference between transport and tunnel mode ESP?
Transport mode encrypts the payload, while tunnel mode encrypts the entire packet
What is the purpose of the IKE (Internet Key Exchange) protocol?
To exchange and manage cryptographic keys
What is the function of the Diffie-Hellman algorithm in IKE?
To exchange cryptographic keys
What is the feature of IKE key determination that prevents DoS attacks?
Use of cookies to thwart DoS attacks
What is the main purpose of Virtual Private Networks?
To provide a cost-effective, secure, and highly scalable means of connecting remote sites
What is the term for establishing a virtual connection between two endpoints?
Tunneling
What is the purpose of access control in VPNs?
To deny unauthorized user access to the corporate network
What is the method of verifying sender identity to prevent spoofing or other attacks?
Data origin authentication
What is the purpose of the Diffie-Hellman key exchange?
To negotiate a group and specify global parameters
What is the purpose of nonces in the Diffie-Hellman key exchange?
To ensure against replay attacks
What is the purpose of IPsec in VPNs?
To ensure data confidentiality and prevent eavesdropping
What is the term for the protocol that enables the exchange of Diffie-Hellman public key values?
ISAKMP
What is a critical aspect of IPsec security?
Proper key management
What does IPsec employ for authentication?
Digital signature authentication
What is the primary purpose of IPsec in routing architecture?
To assure authorized routing updates
What is the collection of documents describing the key management schemes for use with IPsec?
Internet Key Exchange (IKE)
What is the main specification for Internet Key Exchange (IKE)?
RFC 5996
What is the purpose of IP Encapsulating Security Payload (ESP)?
To encapsulate and encrypt data
What is the primary function of IPsec in internetworking?
To play a vital role in the routing architecture
What is the category of documents that define and describe cryptographic algorithms for encryption and message authentication?
Cryptographic Algorithms
What is the IPsec service that provides for the integrity of a single connectionless data block?
Connectionless integrity
What is the primary purpose of IPsec in providing security services?
To enable a system to select required security protocols
Study Notes
Security Associations (SAs)
- Defined by a triple: Security Parameter Index (SPI), IP Destination Address, and Security Protocol Identifier
- SPI: 32-bit value that uniquely identifies a particular SA for a connected device
- IP Destination Address: address of the device for which the SA is established
- Security Protocol Identifier: specifies whether the SA is for AH or ESP
Security Policy Database (SPD)
- Relates IP traffic to specific SAs
- Contains entries, each defining a subset of IP traffic and pointing to an SA for that traffic
- In complex environments, multiple entries may relate to a single SA or multiple SAs associated with a single SPD entry
- Each SPD entry is defined by a set of IP and upper-layer protocol field values called selectors
Selectors
- Determine an SPD entry
- Include:
- Local and remote IP addresses
- Next layer protocol (e.g., TCP or UDP)
- Port values (or wildcard/mask)
Encapsulating Security Payload (ESP)
- Used to encrypt Payload Data, Padding, Pad Length, and Next Header fields
- May include an optional Integrity Check Value (ICV) field for integrity service
- ICV is computed after encryption to facilitate reducing the impact of DoS attacks
Combining Security Associations
- An individual SA can implement either AH or ESP, but not both
- Security association bundles: sequences of SAs that provide a desired set of IPsec services
- Can be combined using transport adjacency (applying multiple security protocols to the same IP packet) or iterated tunneling (applying multiple layers of security protocols through IP tunneling)
ESP with Authentication Option
- Applies ESP to the data to be protected, then appends the authentication data field
- Can be used in transport mode (authentication applies to IP payload) or tunnel mode (authentication applies to entire IP packet)
Internet Key Exchange (IKE)
- Default automated key management protocol of IPsec
- Consists of Oakley Key Determination Protocol (key exchange protocol based on Diffie-Hellman algorithm) and Internet Security Association and Key Management Protocol (ISAKMP) for key management and negotiation of security attributes
IPsec Services
- Provides security services at the IP layer, enabling systems to:
- Select required security protocols
- Determine algorithms for services
- Put in place cryptographic keys required for services
This quiz covers the components of a Security Association (SA) in computer networks, including SPI, IP Destination Address, and Security Protocol Identifier.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free