Chap 16 - Overlay Tunnels Flashcards
What is an Overlay network?
A logical or virtual network built over a physical transport network.
What is the physical network called.
An underlay network.
What are Overlay Networks for?
They are used to overcome shortcomings of traditional networks by enabling network virtualization, segmentation, and security to make traditional networks more manageable, flexible, secure (by means of encryption), and scalable.
What are 5 examples of Overlay Networks?
- GRE Tunnels
- IPSec
- Location ID/Separation Protocol (LISP)
- Virtual Extensible LAN (VXLAN)
- Multiprotocol Label Switching (MPLS)
What is the most common VPN encryption suite?
IPSec
Can an Overlay Tunnel be built over another overlay tunnel?
Yes, MPLS over GRE over IPSEC
What are 4 examples of next generation overlay fabric networks?
- Software Defined WAN (SD-WAN)
- Software Defined Access (SD-Access)
- Application Centric Infrastructure (ACI)
- Cisco Virtual Topology System (VTS)
What routing problem can cause a GRE tunnel not to come up?
Having no route to the tunnel destination.
For a GRE tunnel why use keepalives?
To ensure that bidirectional communication exists, otherwise you have to depend on the routing protocol timers to detect a dead remote endpoint.
For a GRE tunnel why specify the MTU, and what should it be?
- GRE will add a 24 byte header to each packet.
- It should be no greater than 1476 bytes
What size tunnel header will be added with DES/3DES IPSec (transport mode)?
18-25 bytes
What size tunnel header will be added with DES/3DES IPSec (tunnel mode)?
38-45 bytes
What size tunnel header will be added with GRE + DES/3DES?
42-49 bytes
What size tunnel header will be added with GRE + AES + SHA-1?
62-77 bytes
When running OSPF what kind of route will the tunnel route show up as?
Inter-area route
What is the default TTL for a GRE tunnel?
255
What is the Recursive Routing problem that can occur over a GRE tunnel?
- Internet-facing network gets added into IGP routing table
- Since Internet-facing route is more specific the routing protocol would try to use that route.
- It can’t because the public network isn’t reachable from inside the tunnel.
- Tunnel goes down
- Recovers when it sees less specific default route
- Once back up the routing protocol finds the more specific route again and tunnel bounces again.
How do you fix Recursive Routing over GRE?
Remove the Internet-facing route from the routing protocol.
What is IPSec?
It is a framework of open standards for creating highly secure VPNs using various protocols and technologies for secure communication across unsecure networks, such as the Internet.
What 4 services does IPSec provide?
- Peer authentication
- Data confidentiality
- Data integrity
- Replay detection
What 2 methods does IPSEC use to provide peer authentication?
- Pre-shared Key
- Digital certificates
What are 3 tools IPSEC uses to provide Data Confidentiality?
- Data Encryption Standard (DES)
- Triple DES (3DES)
- Advanced Encryption Standard (AES)
What 2 methods does IPSEC use to provide Data Integrity?
- HMAC function using MD5
- HMAC function Secure Hash Algorithm (SHA)
What methods does IPSEC use to provide Replay Detection?
- Marks every packet with a unique sequence number
- VPN device keeps track of sequence numbers
- Does not accept a packet with a sequence number it has already seen
What are the 2 different packet headers IPSEC uses to deliver IPSec services?
- Authentication Header (AH)
- Encapsulated Security Payload (ESP)
In IPSec what does the Authentication Header provide?
- Data integrity
- Authentication
- Replay protection
How does IPSec’s Authentication Header ensure the packet has not been modified, what does it not support and what is the IP protocol number?
- Creates a digital signature similar to a checksum to ensure the packet has not been modified
- Does not support Encryption or NAT Traversal (NAT-T) so it is NOT recommended
- Uses IP protocol 51
What 4 things does Encapsulated Security Payload (ESP) provide?
- Data confidentiality
- Data integrity
- Authentication
- Replay protection
How does ESP provide data confidentiality, what does it add, what protocol number and what else does it support?
- Encrypts the payload (original packet)
- Adds a new set of headers
- Uses IP protocol 50
- Does support encryption and NAT Traversal (NAT-T)
What 2 modes of packet transport does IPSec provide?
- Tunnel mode
- Transport mode
What 3 things does IPSec Tunnel Mode do?
- Encrypts the entire packet
- Adds new IPSec headers
- Performs the Overlay Function
What is the difference between IPsec tunnel mode vs. transport mode?
What does 2 things does tunnel mode do that transport mode does not?
- Tunnel mode encrypts the entire original packet, transport mode does not.
- Tunnel mode performs an overlay function, transport mode does not.
What is Data Encryption Standard (DES)?
- A 56-bit symmetric data encryption algorithm that can encrypt the data sent over a VPN.
What is Triple DES (3DES) and how is it different from DES?
- data encryption algorithm
- Runs the DES algorithm three times with three different 56-bit keys
What is Advanced Encreption Standard (AES), what was it developed to replace, what 3 key lengths are supported and what algorithm is it based on?
- data encryption algorithm
- was developed to replace DES and 3DES
- AES supports key lengths of 128 bits, 192 bits, or 256 bits
- based on the Rijndael algorithm
What is Message Digest 5 (MD5)
How many bits?
What 2 things is it used for?
- One-way, 128-bit hash algorithm
- Used for data integrity and preventing MitM attacks
What is Secure Hash Algorithm (SHA) and what 3 things is it used for?
- One-way, 160-bit hash algorithm
- Used for data integrity, data authentication, and preventing MitM attacks
What is Diffie-Hellman (DH), what does it enable, and how CPU intensive is it?
- An asymmetric key exchange protocol
- Enables two peers to establish a shared secret key used by encryption algorithms such as AES
- The DH key exchange is very CPU intensive
What is a Diffie-Hellman Group?
What does the term Diffie-Hellman Group refer to?
What makes it more or less secure?
What does Cisco recommend?
- Refers to the length of the key (modulus size) to use for a DH key exchange
- The larger the modulus, the more secure it is
- Cisco recommends DH group 14 or higher
What does Diffie-Hellman (DH) generate?
To generate a shared secret symmetric key that is used by both VPN peers for symmetrical algorithms, such as AES
What are RSA Signatures?
A public-key (digital certificates) cryptographic system used to mutually authenticate the peers.
What is a Pre-shared Key (PSK)?
A security mechanism in which a locally configured key is used as a credential to mutually authenticate the peers.
What is a Transform Set and how is it used?
- A combination of security protocols and algorithms
- Peers agree on which transform set to use during SA negotiation
What are 5 Authentication Header transform sets?
- ah-md5-hmac
- ah-sha-hmac
- ah-sha256-hmac
- ah-sha384-hmac
- ah-sha512-hmac
What are the 12 ESP encryption transforms?
- esp-null
- esp-des
- esp-3des
- esp-aes
- esp-aes 192
- esp-aes 256
- esp-gcm
- esp-gmac
- esp-md4-hmac
- esp-sha-hmac
- esp-seal
- comp-lzs
How can you tell what authentication method the transform sets for Authentication Headers use?
- If it says MD5 that’s the authentication method it uses
- If it says just sha then sha is the authentication method
- If it has numbers in it (256, 384, 512) then it uses AES authentication
What is Internet Key Exchange (IKE)?
What does it perform to establish SAs?
What is it used for?
What key exchange technique does it use?
- It performs authentication between two endpoints to establish security associations (SA)
- It’s used to carry control plane and data plane traffic for Ipsec
- Implementation of ISAKMP using Oakley and Skeme key exchange technique
How many versions are there of IKE?
2
What is Internet Security Association Key Management Protocol (ISAKMP)
It is a framework for what 2 things?
What 3 things does it allow to happen?
What kind of traffic does it carry?
- Framework for authentication and key exchange between two peers to establish, modify, and tear down SAs
- Supports many kinds of key exchanges
- Carries control plane and data plane traffic for IPsec.
What is Oakley and Skeme?
What 3 things does Oakley provide?
What 3 things does Skeme provide?
- A key exchange technique used by IKE’s implementation of ISAKMP
- Oakley provides
- Perfect Forward Security (PFS) for keys
- identity protection
- authentication
- Skeme provides:
- anonymity
- repudiability
- quick key refreshment
What is IKE analogous to?
ISAKMP
In general, what happens in IKEv1 Phase 1?
What does it establish?
Once it is established what can happen next?
- Establishes a bidirectional SA between two IKE peers, known as an ISAKMP SA
- Because the SA is bidirectional, once it is established, either peer may initiate negotiations for phase 2
In general, what happens in IKEv1 Phase 2?
Establishes unidirectional IPsec SAs, leveraging the ISAKMP SA established in phase 1 for the negotiation
What are the 2 modes IKEv1 Phase 1 can be done in?
- Main mode
- Aggressive mode
What is the difference between IKEv1 Main mode and Aggressive mode?
- MM takes longer
- MM hides the identities of the two peers but AM doesn’t
- AM doesn’t offer same level of encryption security as MM
- MM is 6 msgs and AM is 3 msgs
- MM more flexible offering more security proposals
In IKEv1 Phase 1 what are the 5 parameters offered by the initiator?
- Hash (MD5 or SHA)
- Encryption (DES, 3DES, AES)
- Auth method (PSK or digital certs)
- Diffie Hellman Group ( group 1, 2, 5, etc)
- Lifetime (how long until tunnel is torn down, default is 24 hours)
What is the one parameter in IKEv1 Phase 1 that the initiator and responder don’t have to agree on?
Lifetime - if they offer different lifetimes they both agree on the shortest one)
In IKEv1 Phase 2 what mode is used?
Quick Mode
What is Perfect Forward Security (PFS)?
What phase is it used in?
What is required to use it?
What does it provide?
How does it work?
- Additional but optional function for Phase 2
- Additional DH key exchanges
- Creates greater resistance to crypto attacks
- Derives session keys independently of any previous key in case previous key had been compromised
In IKE v1 what are the total number of messages exchanged?
IKE phase 1 MM:
IKE phase 1 AM:
IKE phase 2 QM
Total phase 1 and 2 using MM:
Total phase 1 and 2 using AM:
IKEv2 initial exchange:
IKEv2 to bring up another IPsec SA:
- Phase 1 MM uses 6 msgs
- Phase 1 AM uses 3 msgs
- Phase 2 QM uses 3 msgs
- Total using MM uses 9 msgs
- Total using AM uses 6 msgs
- IKEv2 establishes both IKE SA and IPsec SA in 4 messages
- IKEv2 can bring up another IPsec SA with one request/response pair - 2 messages.
Is IKEv2 backward compatible with IKEv1?
No, they use completely different messages.
What 4 authentication methods are supported in IKEv2 and what is different about how IKEv2 authenticates vs how IKEv1 authenticates?
- Pre-shared Key
- Digital RSA Certificate (RSA-SIG)
- Elliptic Curve Digital Signature Certificate (ECDSA-SIG)
- Extensible Authentication Protocol (EAP)
- Both peers don’t have to use the same AUTH method
What authentication methods are supported in IKEv1?
What 2 authentication methods does IKEv1 use?
Regarding authentication what is the difference between IKEv1 and IKEv2?
- Pre-shared Key
- Digital RSA Certificate (RSA-SIG)
- Both peers must use the same authentication method
What 7 Next Generation Encryption methods does IKEv2 support?
- AES-GCM mode
- SHA-256
- SHA-384
- SHA-512
- HMAC-SHA-256
- Elliptic Curve Diffie-Hellman (ECDH) ECDH-384
- ECDSA-384
What attack protection does IKEv2 offer that IKEv1 does not?
Anti-DOS protection
What is Elliptic Curve Digital Signature Algorithm (ECDSA-SIG)?
What supports it?
What is it an alternative for?
- Supported in IKEv2
- A newer alternative to public keys that is more efficient.
What is a Site-to-Site IPSec VPN?
Why is it the most versatile?
When is it difficult to manage?
- Most versatile solution for site-to-site encryption because they allow for multivendor interoperability
- Difficult to manage in large networks
What is Cisco DMVPN?
What 3 things does it use to accomplish this?
- Simplifies configuration for hub-and-spoke and spoke-to-spoke VPNs
- Accomplishes this by combining
- multipoint GRE (mGRE) tunnels
- IPsec
- Next Hop Resolution Protocol (NHRP).
What is Cisco Group Encrypted Transport VPN (GET VPN)
- Specifically for enterprises to build any-to-any tunnel-less VPNs (where the original IP header is used) across service provider MPLS networks or private WANs
- Doesn’t affect multicast or QOS
- Encryption over private networks allows compliance with PCI or Hippa
What is Cisco FlexVPN
- Cisco’s implementation of the IKEv2 standard
- Unified VPN solution combining site-to-site, remote access, hub-and-spoke topologies and partial meshes (spoke-to-spoke direct)
- Compatible with legacy VPN implementations using crypto maps
What is Remote VPN Access?
Remote VPN access allows remote users to securely VPN into a corporate network.
What are 4 limitations of crypto-maps?
- Don’t natively support MPLS
- Configuration can be overly complex
- Commonly mis-configured
- Crypto-ACLs can consume excessive amounts of TCAM space
What are the 2 different ways to configure traffic encryption for a GRE tunnel?
- Using crypto maps
- Using tunnel IPsec profiles
What is LISP?
- Cisco Location/ID Separation Protocol
- A routing architecture and a data and control plane protocol that was created to address routing scalability problems on the Internet
What are 4 reasons LISP was created?
- Aggregation issues
- Traffic engineering
- Multihoming
- Routing instability (churning)
What is the DFZ?
- Default Free Zone
- Internet routing table
In LISP what is an Endpoint Identifier (EID)?
An EID is the IP address of an endpoint within a LISP site.
What is a LISP site?
This is the name of a site where LISP routers and EIDs reside.
In LISP what is an Ingress tunnel router (ITR)?
ITRs are LISP routers that LISP-encapsulate IP packets coming from EIDs that are destined outside the LISP site
In LISP what are Egress tunnel router (ETR) ?
ETRs are LISP routers that de-encapsulate LISP-encapsulated IP packets coming from sites outside the LISP site and destined to EIDs within the LISP site.
In LISP what is a Tunnel router (xTR)?
xTR refers to routers that perform ITR and ETR functions (which is most routers)
In LISP what is a Proxy ITR (PITR)?
PITRs are just like ITRs but for non-LISP sites that send traffic to EID destinations.
In LISP what is a Proxy ETR (PETR)?
- PETRs act just like ETRs but for EIDs that send traffic to destinations at non-LISP sites
- Used when a LISP site needs to communicate with a non-LISP site
In LISP what is a Proxy xTR (PxTR)?
PxTR refers to a router that performs PITR and PETR functions.
What is a LISP router?
A LISP router is a router that performs the functions of any or all of the following: ITR, ETR, PITR, and/or PETR
In LISP what is a Routing locator (RLOC)?
An RLOC is an IPv4 or IPv6 address of an ETR that is Internet facing or network core facing.
In LISP what is a Map server (MS)?
This is a network device (typically a router) that learns EID-to-prefix mapping entries from an ETR and stores them in a local EID-to-RLOC mapping database.
In LISP what is a Map resolver (MR) ?
This is a network device (typically a router) that receives LISP-encapsulated map requests from an ITR and finds the appropriate ETR to answer those requests by consulting the map server.
In LISP what is a Map server/map resolver (MS/MR)?
When MS and the MR functions are implemented on the same device, the device is referred to as an MS/MR.
What does LISP do?
LISP separates IP addresses into endpoint identifiers (EIDs) and routing locators (RLOCs). This way, endpoints can roam from site to site, and the only thing that changes is their RLOC; the EID remains the same.
What does the LISP control plane do?
- Pull model
- LISP router sends a Map Request containing an IP address to an MR
- MR responds by sending RLOC reply which is also an IP address
What is the difference between a Push model and a Pull model?
- Push model is like traditional routing protocols - sends all the routes whether you need them or not
- Pull model is LISP - LISP router sends map query to Map Resolver (MR), MR returns only the Routing Locater (RLOC)
What 5 issues are addressed by VXLAN?
- 12-bit VLAN ID field doesn’t support enough VLANS
- Large MAC address tables are needed for the thousands of VMs
- STP blocking leads to a large number of blocked links
- ECMP not supported
- Host mobility is difficult to implement
What is VXLAN’s equivalent of the VLAN ID?
How many bits?
How many VXLAN segments or overlay networks will this support?
- VXLAN Network Identifier (VNI)
- 24 bits
- Supports 16 million VXLAN segments or Overlay Networks
Where in a VXLAN packet is the VNI located?
In the VXLAN shim header
In VXLAN, what is the VNI used for?
To provide separation for layer 2 and layer 3 traffic
in VXLAN, what are VTEPs?
- Virtual Tunnel Endpoints
- Originate and terminate VXLAN tunnels
- They map layer 2 and layer 3 packets to VNI
In VXLAN, what are the 2 interfaces VTEPs have?
- Local LAN interface - faces the endpoint switches
- IP Interface - faces the core of the network, also these interfaces are where encapsulation/decapsulation happens
What is a VXLAN Gateway?
- Used when there are devices that don’t support VXLAN
- Combines a VXLAN segment with a Classic VLAN into a single common Layer 2 domain
What planes does VXLAN operate?
- VXLAN standard only defined it as a Data Plane protocol
- This allows it to be used with any Control Plane
What are the 4 VXLAN Control Plane/Data Plane protocols does Cisco support
- VXLAN with Multicast underlay
- VXLAN with Static Unicast VXLAN Tunnels
- VXLAN with MP-BGP EVPN control plane
- VXLAN with LISP control plane
What are the preferred VXLAN Control Planes for data centers and private clouds?
- MP-BGP eVPN
- VXLAN with Multicast underlay
What is the preferred VXLAN Control Plane for campus environments?
VXLAN with LISP control plane
What is an example implementation of VXLAN with LISP control plane?
Cisco Software Defined Access (SD-Access)
What kind of encapsulation does VXLAN do?
MAC-in-IP encapsulation
What 2 HMACs are used by Cisco devices?
- MD5
- SHA-1
Display information about ISAKMP SAs
show crypto isakmp sa
Display detailed information about IPsec SAs
show crypto ipsec sa
How many VXLANs can theoretically exist in the same infrastructure?
16 million due to the 24-bit VXLAN Network Identifier (VNI)
What happens during IKE phase 1 main mode?
- (MM1 and MM2) negotiate cryptographic ciphers
- (MM3 and MM4) exchange key material
- (MM5 and MM6) are encrypted and used to prove the identity
What 3 things happen in IKE Phase 2 quick mode?
- (QM1) Initiator sends cryptographic algorithms and traffic selectors to define what will be protected.
- (QM2) Responder sends cryptographic algorithms to be used and traffic selectors to define what will be protected.
- (QM3) Initiator acknowledges the responder’s previous message.
What happens in IKE Phase 1 Aggressive Mode?
- (AM1) Initiator sends SA proposals, key exchange material, nonce, and ID
- (AM2) Responder sends agreed upon SA proposal, key exchange material, nonce, ID, and Authenticates peer
- (AM3) Initiator authenticates peer
In IKEv2 what is the purpose of the 3 request/response pairs?
What is the purpose of the 3 request/response pairs?
What happens during IKE_SA_INIT?
What happens during IKE_AUTH?
What is the CREATE_CHILD_SA request/response pair used for?
- IKE_SA_INIT and IKE_AUTH are used to create the initial IKE SA and IPSec SA
- The first exchange is IKE_SA_INIT during which it negotiates cryptographic algorithms, exchanges nonces, and performs a Diffie-Hellman exchange
- The second exchange is IKE_AUTH, during which it authenticates the previous messages and exchanges identities and certificates. This establishes an IKE SA and a child SA (the IPsec SA)
- CREATE_CHILD_SA is used If additional IPsec SAs are required
