Chap 16 - Overlay Tunnels Flashcards

Question 1

Q

What is an Overlay network?

Answer

A

A logical or virtual network built over a physical transport network.

Question 2

Q

What is the physical network called.

Answer

A

An underlay network.

Question 3

Q

What are Overlay Networks for?

Answer

A

They are used to overcome shortcomings of traditional networks by enabling network virtualization, segmentation, and security to make traditional networks more manageable, flexible, secure (by means of encryption), and scalable.

Question 4

Q

What are 5 examples of Overlay Networks?

Answer

A

GRE Tunnels
IPSec
Location ID/Separation Protocol (LISP)
Virtual Extensible LAN (VXLAN)
Multiprotocol Label Switching (MPLS)

Question 5

Q

What is the most common VPN encryption suite?

Question 6

Q

Can an Overlay Tunnel be built over another overlay tunnel?

Answer

A

Yes, MPLS over GRE over IPSEC

Question 7

Q

What are 4 examples of next generation overlay fabric networks?

Answer

A

Software Defined WAN (SD-WAN)
Software Defined Access (SD-Access)
Application Centric Infrastructure (ACI)
Cisco Virtual Topology System (VTS)

Question 8

Q

What routing problem can cause a GRE tunnel not to come up?

Answer

A

Having no route to the tunnel destination.

Question 9

Q

For a GRE tunnel why use keepalives?

Answer

A

To ensure that bidirectional communication exists, otherwise you have to depend on the routing protocol timers to detect a dead remote endpoint.

Question 10

Q

For a GRE tunnel why specify the MTU, and what should it be?

Answer

A

GRE will add a 24 byte header to each packet.
It should be no greater than 1476 bytes

Question 11

Q

What size tunnel header will be added with DES/3DES IPSec (transport mode)?

Answer

A

18-25 bytes

Question 12

Q

What size tunnel header will be added with DES/3DES IPSec (tunnel mode)?

Answer

A

38-45 bytes

Question 13

Q

What size tunnel header will be added with GRE + DES/3DES?

Answer

A

42-49 bytes

Question 14

Q

What size tunnel header will be added with GRE + AES + SHA-1?

Answer

A

62-77 bytes

Question 15

Q

When running OSPF what kind of route will the tunnel route show up as?

Answer

A

Inter-area route

Question 16

Q

What is the default TTL for a GRE tunnel?

Question 17

Q

What is the Recursive Routing problem that can occur over a GRE tunnel?

Answer

A

Internet-facing network gets added into IGP routing table
Since Internet-facing route is more specific the routing protocol would try to use that route.
It can’t because the public network isn’t reachable from inside the tunnel.
Tunnel goes down
Recovers when it sees less specific default route
Once back up the routing protocol finds the more specific route again and tunnel bounces again.

Question 18

Q

How do you fix Recursive Routing over GRE?

Answer

A

Remove the Internet-facing route from the routing protocol.

Question 19

Q

What is IPSec?

Answer

A

It is a framework of open standards for creating highly secure VPNs using various protocols and technologies for secure communication across unsecure networks, such as the Internet.

Question 20

Q

What 4 services does IPSec provide?

Answer

A

Peer authentication
Data confidentiality
Data integrity
Replay detection

Question 21

Q

What 2 methods does IPSEC use to provide peer authentication?

Answer

A

Pre-shared Key
Digital certificates

Question 22

Q

What are 3 tools IPSEC uses to provide Data Confidentiality?

Answer

A

Data Encryption Standard (DES)
Triple DES (3DES)
Advanced Encryption Standard (AES)

Question 23

Q

What 2 methods does IPSEC use to provide Data Integrity?

Answer

A

HMAC function using MD5
HMAC function Secure Hash Algorithm (SHA)

Question 24

Q

What methods does IPSEC use to provide Replay Detection?

Answer

A

Marks every packet with a unique sequence number
VPN device keeps track of sequence numbers
Does not accept a packet with a sequence number it has already seen

Question 25

Q

What are the 2 different packet headers IPSEC uses to deliver IPSec services?

Answer

A

Authentication Header (AH)
Encapsulated Security Payload (ESP)

Question 26

Q

In IPSec what does the Authentication Header provide?

Answer

A

Data integrity
Authentication
Replay protection

Question 27

Q

How does IPSec’s Authentication Header ensure the packet has not been modified, what does it not support and what is the IP protocol number?

Answer

A

Creates a digital signature similar to a checksum to ensure the packet has not been modified
Does not support Encryption or NAT Traversal (NAT-T) so it is NOT recommended
Uses IP protocol 51

Question 28

Q

What 4 things does Encapsulated Security Payload (ESP) provide?

Answer

A

Data confidentiality
Data integrity
Authentication
Replay protection

Question 29

Q

How does ESP provide data confidentiality, what does it add, what protocol number and what else does it support?

Answer

A

Encrypts the payload (original packet)
Adds a new set of headers
Uses IP protocol 50
Does support encryption and NAT Traversal (NAT-T)

Question 30

Q

What 2 modes of packet transport does IPSec provide?

Answer

A

Tunnel mode
Transport mode

Question 31

Q

What 3 things does IPSec Tunnel Mode do?

Answer

A

Encrypts the entire packet
Adds new IPSec headers
Performs the Overlay Function

Question 32

Q

What is the difference between IPsec tunnel mode vs. transport mode?

What does 2 things does tunnel mode do that transport mode does not?

Answer

A

Tunnel mode encrypts the entire original packet, transport mode does not.
Tunnel mode performs an overlay function, transport mode does not.

Question 33

Q

What is Data Encryption Standard (DES)?

Answer

A

A 56-bit symmetric data encryption algorithm that can encrypt the data sent over a VPN.

Question 34

Q

What is Triple DES (3DES) and how is it different from DES?

Answer

A

data encryption algorithm
Runs the DES algorithm three times with three different 56-bit keys

Question 35

Q

What is Advanced Encreption Standard (AES), what was it developed to replace, what 3 key lengths are supported and what algorithm is it based on?

Answer

A

data encryption algorithm
was developed to replace DES and 3DES
AES supports key lengths of 128 bits, 192 bits, or 256 bits
based on the Rijndael algorithm

Question 36

Q

What is Message Digest 5 (MD5)

How many bits?
What 2 things is it used for?

Answer

A

One-way, 128-bit hash algorithm
Used for data integrity and preventing MitM attacks

Question 37

Q

What is Secure Hash Algorithm (SHA) and what 3 things is it used for?

Answer

A

One-way, 160-bit hash algorithm
Used for data integrity, data authentication, and preventing MitM attacks

Question 38

Q

What is Diffie-Hellman (DH), what does it enable, and how CPU intensive is it?

Answer

A

An asymmetric key exchange protocol
Enables two peers to establish a shared secret key used by encryption algorithms such as AES
The DH key exchange is very CPU intensive

Question 39

Q

What is a Diffie-Hellman Group?

What does the term Diffie-Hellman Group refer to?
What makes it more or less secure?
What does Cisco recommend?

Answer

A

Refers to the length of the key (modulus size) to use for a DH key exchange
The larger the modulus, the more secure it is
Cisco recommends DH group 14 or higher

Question 40

Q

What does Diffie-Hellman (DH) generate?

Answer

A

To generate a shared secret symmetric key that is used by both VPN peers for symmetrical algorithms, such as AES

Question 41

Q

What are RSA Signatures?

Answer

A

A public-key (digital certificates) cryptographic system used to mutually authenticate the peers.

Question 42

Q

What is a Pre-shared Key (PSK)?

Answer

A

A security mechanism in which a locally configured key is used as a credential to mutually authenticate the peers.

Question 43

Q

What is a Transform Set and how is it used?

Answer

A

A combination of security protocols and algorithms
Peers agree on which transform set to use during SA negotiation

Question 44

Q

What are 5 Authentication Header transform sets?

Answer

A

ah-md5-hmac
ah-sha-hmac
ah-sha256-hmac
ah-sha384-hmac
ah-sha512-hmac

Question 45

Q

What are the 12 ESP encryption transforms?

Answer

A

esp-null
esp-des
esp-3des
esp-aes
esp-aes 192
esp-aes 256
esp-gcm
esp-gmac
esp-md4-hmac
esp-sha-hmac
esp-seal
comp-lzs

Question 46

Q

How can you tell what authentication method the transform sets for Authentication Headers use?

Answer

A

If it says MD5 that’s the authentication method it uses
If it says just sha then sha is the authentication method
If it has numbers in it (256, 384, 512) then it uses AES authentication

Question 47

Q

What is Internet Key Exchange (IKE)?

What does it perform to establish SAs?
What is it used for?
What key exchange technique does it use?

Answer

A

It performs authentication between two endpoints to establish security associations (SA)
It’s used to carry control plane and data plane traffic for Ipsec
Implementation of ISAKMP using Oakley and Skeme key exchange technique

Question 48

Q

How many versions are there of IKE?

Question 49

Q

What is Internet Security Association Key Management Protocol (ISAKMP)

It is a framework for what 2 things?
What 3 things does it allow to happen?
What kind of traffic does it carry?

Answer

A

Framework for authentication and key exchange between two peers to establish, modify, and tear down SAs
Supports many kinds of key exchanges
Carries control plane and data plane traffic for IPsec.

Question 50

Q

What is Oakley and Skeme?

What 3 things does Oakley provide?
What 3 things does Skeme provide?

Answer

A

A key exchange technique used by IKE’s implementation of ISAKMP
Oakley provides
- Perfect Forward Security (PFS) for keys
- identity protection
- authentication
Skeme provides:
- anonymity
- repudiability
- quick key refreshment

Question 51

Q

What is IKE analogous to?

Question 52

Q

In general, what happens in IKEv1 Phase 1?

What does it establish?
Once it is established what can happen next?

Answer

A

Establishes a bidirectional SA between two IKE peers, known as an ISAKMP SA
Because the SA is bidirectional, once it is established, either peer may initiate negotiations for phase 2

Question 53

Q

In general, what happens in IKEv1 Phase 2?

Answer

A

Establishes unidirectional IPsec SAs, leveraging the ISAKMP SA established in phase 1 for the negotiation

Question 54

Q

What are the 2 modes IKEv1 Phase 1 can be done in?

Answer

A

Main mode
Aggressive mode

Question 55

Q

What is the difference between IKEv1 Main mode and Aggressive mode?

Answer

A

MM takes longer
MM hides the identities of the two peers but AM doesn’t
AM doesn’t offer same level of encryption security as MM
MM is 6 msgs and AM is 3 msgs
MM more flexible offering more security proposals

Question 56

Q

In IKEv1 Phase 1 what are the 5 parameters offered by the initiator?

Answer

A

Hash (MD5 or SHA)
Encryption (DES, 3DES, AES)
Auth method (PSK or digital certs)
Diffie Hellman Group ( group 1, 2, 5, etc)
Lifetime (how long until tunnel is torn down, default is 24 hours)

Question 57

Q

What is the one parameter in IKEv1 Phase 1 that the initiator and responder don’t have to agree on?

Answer

A

Lifetime - if they offer different lifetimes they both agree on the shortest one)

Question 58

Q

In IKEv1 Phase 2 what mode is used?

Answer

A

Quick Mode

Question 59

Q

What is Perfect Forward Security (PFS)?

What phase is it used in?
What is required to use it?
What does it provide?
How does it work?

Answer

A

Additional but optional function for Phase 2
Additional DH key exchanges
Creates greater resistance to crypto attacks
Derives session keys independently of any previous key in case previous key had been compromised

Question 60

Q

In IKE v1 what are the total number of messages exchanged?

IKE phase 1 MM:
IKE phase 1 AM:
IKE phase 2 QM
Total phase 1 and 2 using MM:
Total phase 1 and 2 using AM:
IKEv2 initial exchange:
IKEv2 to bring up another IPsec SA:

Answer

A

Phase 1 MM uses 6 msgs
Phase 1 AM uses 3 msgs
Phase 2 QM uses 3 msgs
Total using MM uses 9 msgs
Total using AM uses 6 msgs
IKEv2 establishes both IKE SA and IPsec SA in 4 messages
IKEv2 can bring up another IPsec SA with one request/response pair - 2 messages.

Question 61

Q

Is IKEv2 backward compatible with IKEv1?

Answer

A

No, they use completely different messages.

Question 62

Q

What 4 authentication methods are supported in IKEv2 and what is different about how IKEv2 authenticates vs how IKEv1 authenticates?

Answer

A

Pre-shared Key
Digital RSA Certificate (RSA-SIG)
Elliptic Curve Digital Signature Certificate (ECDSA-SIG)
Extensible Authentication Protocol (EAP)
Both peers don’t have to use the same AUTH method

Question 63

Q

What authentication methods are supported in IKEv1?

What 2 authentication methods does IKEv1 use?
Regarding authentication what is the difference between IKEv1 and IKEv2?

Answer

A

Pre-shared Key
Digital RSA Certificate (RSA-SIG)
Both peers must use the same authentication method

Question 64

Q

What 7 Next Generation Encryption methods does IKEv2 support?

Answer

A

AES-GCM mode
SHA-256
SHA-384
SHA-512
HMAC-SHA-256
Elliptic Curve Diffie-Hellman (ECDH) ECDH-384
ECDSA-384

Answer 61

A

Anti-DOS protection

Answer 62

A

Supported in IKEv2
A newer alternative to public keys that is more efficient.

Answer 63

A

Most versatile solution for site-to-site encryption because they allow for multivendor interoperability
Difficult to manage in large networks

Answer 64

A

Simplifies configuration for hub-and-spoke and spoke-to-spoke VPNs
Accomplishes this by combining
- multipoint GRE (mGRE) tunnels
- IPsec
- Next Hop Resolution Protocol (NHRP).

Answer 65

A

Specifically for enterprises to build any-to-any tunnel-less VPNs (where the original IP header is used) across service provider MPLS networks or private WANs
Doesn’t affect multicast or QOS
Encryption over private networks allows compliance with PCI or Hippa

Answer 66

A

Cisco’s implementation of the IKEv2 standard
Unified VPN solution combining site-to-site, remote access, hub-and-spoke topologies and partial meshes (spoke-to-spoke direct)
Compatible with legacy VPN implementations using crypto maps

Answer 67

A

Remote VPN access allows remote users to securely VPN into a corporate network.

Answer 68

A

Don’t natively support MPLS
Configuration can be overly complex
Commonly mis-configured
Crypto-ACLs can consume excessive amounts of TCAM space

Answer 69

A

Using crypto maps
Using tunnel IPsec profiles

Answer 70

A

Cisco Location/ID Separation Protocol
A routing architecture and a data and control plane protocol that was created to address routing scalability problems on the Internet

Answer 71

A

Aggregation issues
Traffic engineering
Multihoming
Routing instability (churning)

Answer 72

A

Default Free Zone
Internet routing table

Answer 73

A

An EID is the IP address of an endpoint within a LISP site.

Answer 74

A

This is the name of a site where LISP routers and EIDs reside.

Answer 75

A

ITRs are LISP routers that LISP-encapsulate IP packets coming from EIDs that are destined outside the LISP site

Answer 76

A

ETRs are LISP routers that de-encapsulate LISP-encapsulated IP packets coming from sites outside the LISP site and destined to EIDs within the LISP site.

Answer 77

A

xTR refers to routers that perform ITR and ETR functions (which is most routers)

Answer 78

A

PITRs are just like ITRs but for non-LISP sites that send traffic to EID destinations.

Answer 79

A

PETRs act just like ETRs but for EIDs that send traffic to destinations at non-LISP sites
Used when a LISP site needs to communicate with a non-LISP site

Answer 80

A

PxTR refers to a router that performs PITR and PETR functions.

Answer 81

A

A LISP router is a router that performs the functions of any or all of the following: ITR, ETR, PITR, and/or PETR

Answer 82

A

An RLOC is an IPv4 or IPv6 address of an ETR that is Internet facing or network core facing.

Answer 83

A

This is a network device (typically a router) that learns EID-to-prefix mapping entries from an ETR and stores them in a local EID-to-RLOC mapping database.

Answer 84

A

This is a network device (typically a router) that receives LISP-encapsulated map requests from an ITR and finds the appropriate ETR to answer those requests by consulting the map server.

Answer 85

A

When MS and the MR functions are implemented on the same device, the device is referred to as an MS/MR.

Answer 86

A

LISP separates IP addresses into endpoint identifiers (EIDs) and routing locators (RLOCs). This way, endpoints can roam from site to site, and the only thing that changes is their RLOC; the EID remains the same.

Answer 87

A

Pull model
LISP router sends a Map Request containing an IP address to an MR
MR responds by sending RLOC reply which is also an IP address

Answer 88

A

Push model is like traditional routing protocols - sends all the routes whether you need them or not
Pull model is LISP - LISP router sends map query to Map Resolver (MR), MR returns only the Routing Locater (RLOC)

Answer 89

A

12-bit VLAN ID field doesn’t support enough VLANS
Large MAC address tables are needed for the thousands of VMs
STP blocking leads to a large number of blocked links
ECMP not supported
Host mobility is difficult to implement

Answer 90

A

VXLAN Network Identifier (VNI)
24 bits
Supports 16 million VXLAN segments or Overlay Networks

Answer 91

A

In the VXLAN shim header

Answer 92

A

To provide separation for layer 2 and layer 3 traffic

Answer 93

A

Virtual Tunnel Endpoints
Originate and terminate VXLAN tunnels
They map layer 2 and layer 3 packets to VNI

Answer 94

A

Local LAN interface - faces the endpoint switches
IP Interface - faces the core of the network, also these interfaces are where encapsulation/decapsulation happens

Answer 95

A

Used when there are devices that don’t support VXLAN
Combines a VXLAN segment with a Classic VLAN into a single common Layer 2 domain

Answer 96

A

VXLAN standard only defined it as a Data Plane protocol
This allows it to be used with any Control Plane

Answer 97

A

VXLAN with Multicast underlay
VXLAN with Static Unicast VXLAN Tunnels
VXLAN with MP-BGP EVPN control plane
VXLAN with LISP control plane

Answer 98

A

MP-BGP eVPN
VXLAN with Multicast underlay

Answer 99

A

VXLAN with LISP control plane

Answer 100

A

Cisco Software Defined Access (SD-Access)

Answer 101

A

MAC-in-IP encapsulation

Answer 102

A

show crypto isakmp sa

Answer 103

A

show crypto ipsec sa

Answer 104

A

16 million due to the 24-bit VXLAN Network Identifier (VNI)

Answer 105

A

(MM1 and MM2) negotiate cryptographic ciphers
(MM3 and MM4) exchange key material
(MM5 and MM6) are encrypted and used to prove the identity

Answer 106

A

(QM1) Initiator sends cryptographic algorithms and traffic selectors to define what will be protected.
(QM2) Responder sends cryptographic algorithms to be used and traffic selectors to define what will be protected.
(QM3) Initiator acknowledges the responder’s previous message.

Answer 107

A

(AM1) Initiator sends SA proposals, key exchange material, nonce, and ID
(AM2) Responder sends agreed upon SA proposal, key exchange material, nonce, ID, and Authenticates peer
(AM3) Initiator authenticates peer

Answer 108

A

IKE_SA_INIT and IKE_AUTH are used to create the initial IKE SA and IPSec SA
- The first exchange is IKE_SA_INIT during which it negotiates cryptographic algorithms, exchanges nonces, and performs a Diffie-Hellman exchange
- The second exchange is IKE_AUTH, during which it authenticates the previous messages and exchanges identities and certificates. This establishes an IKE SA and a child SA (the IPsec SA)
CREATE_CHILD_SA is used If additional IPsec SAs are required

Brainscape's Knowledge GenomeTM

Chap 16 - Overlay Tunnels Flashcards

Brainscape's Knowledge Genome^TM