Chap5_1

Question 1

What is IP

Answer 1

 The Internet Protocol (IP) for interconnecting systems

Question 2

IPsec Overview

Answer 2

 IPsec is NOT a single protocol. Instead,
IPsec provides a set of security algorithmsand a general framework that Includes: Authentication (Tunnel mode, transport mode), confidentiality by encryption, and
key management system

Question 3

IPsec Can be added to either IPv4 or IPv6 by means of ….

Answer 3

additional headers

Question 4

IPsec Includes:……

Answer 4

Authentication, confidentiality, and

key management

Question 5

IPsec Authentication uses ….. on entire IP packet ….. or IP packet except ………..

Answer 5

Authentication uses HMAC on entire IP packet
(Tunnel mode) or IP packet except IP header
(Transport mode)

Question 6

Confidentiality by

Answer 6

encryption (Tunnel or

transport modes)

Question 7

IP protocol vulnerabilities

Answer 7

 IP spoofing Intruders (create packets with false IP addresses)
 Eavesdropping and packet sniffing( read transmitted information)

Question 8

 Benefits of IPsec

Answer 8

 Transparent to applications (below transport layer (TCP, UDP)
 Provide security for individual users
 IPsec ensures redirect message comes from the router to which the initial packet was sent

Question 9

IPsec Architecture

 Security features are implemented as……

 Authentication is

 Encryption is

Answer 9

extension headers
Authentication Header (AH)
Encapsulating Security Payload (ESP) header

Question 10

IPsec Architecture
Support for Security features is….. for
IPv6 and ……. for IPv4

Answer 10

mandatory

optional

Question 11

Security Associations (SA) is …….. IPsec connection

Answer 11

Same as

Question 12

e

Answer 12

e

Question 13

IPsec composition

IPsec is composed of ……….. plane and ……….. plane.

The …………… plane contains ………….. which is used to establish …………………..

The ……………. plane is made up from …….. and ………….. Both provides framework for validating, encrypting and authentication data

Answer 13

control, data

control, IKE (Internet Key exchange) , authenticated keys

data, AH (authentication header) , ESP (encapsulating security payload)

Question 14

Both AH and ESP are vehicles for access
control, They may be applied ….. to provide a desired set of
security services in IPv4 and IPv6.

Answer 14

alone or in combination with each other

Question 15

IPSec uses two distinct protocols, ……. and ………

Answer 15

Authentication Header (AH)

Encapsulating Security Payload (ESP)

Question 16

AH provides

Answer 16

Connectionless integrity
Data origin authentication and
An optional anti-replay service.

Question 17

ESP may provide

Answer 17

 Confidentiality (encryption)
 Limited traffic flow confidentiality
 Connectionless integrity
 Data origin authentication, and
 Anti-replay service.

Question 18

Slide 27

Answer 18

TRUE

Question 19

Authentication Header (AH) Protocol provides ………. and ………. but does not provide …….

Authentication Header (AH) Guards against ………..

Authentication uses ……….. implies the two parties share a ……….

AH header inserted between ……….. and ………

Answer 19

 Provides source authentication, data integrity, NO
confidentiality
 Guards against replay attacks
 Authentication uses MAC implies the two parties share
a secret key.
 AH header inserted between IP header, data field.

Question 20

In Transport Mode (AH Authentication) Authentication covers the ……. packet,
excluding ………………..

Answer 20

Authentication covers the entire packet,

excluding mutable fields

Question 21

Tunnel Mode (AH Authentication) ……….. original IP packet is authenticated

AH inserted between …………… and new …………….

…………. header may contain different IP
addresses

Answer 21

Entire original IP packet is authenticated
 AH inserted between original IP header and
new outer IP header
 Outer IP header may contain different IP
addresses

Question 22

Encapsulating Security Payload (ESP)

Protocol

Answer 22

Provides secrecy, host authentication (optional),

data integrity, limited traffic flow confidentiality

Question 23

Tunnel Mode

ESP Encryption and Authentication

Answer 23

New IP header will contain sufficient information

for routing but not for traffic analysis

Question 24

Why multilayer Security

Answer 24

Because Most layers have control information that must be decoded before decryption is possible and these control information must be sent in the clear

Question 25

Defense in Depth and Breadth

Answer 25

Use multiple layers for constructing and
deploying network security policies
 Depth: If one layer protects against a
particular attack and a second layer
protects against the same attack, the
second layer provides depth against
that specific attack
 Breadth: If one layer protects against
one specific attack and a second layer
protects against a completely different
attack against that same service, these
layers are considered as providing
breadth

Question 26

Combining Security Associations

Answer 26

 Transport Adjacency:
 Apply multiple security protocols without invoking
tunneling
 Combining AH and ESP allows one level of combination
 Further nesting gives no benefits since processing
performed at ultimate destination
 Iterated Tunneling:
 Apply multiple security protocols through IP tunneling
 Multiple levels of nesting possible since each tunnel can
originate or terminate at a different IPsec site
 Two approaches can be combined

Question 27

Authentication Plus Confidentiality

Answer 27

ESP with Auth. Option:
 Transport mode: Authenticate and encrypt IP
payload but IP header not protected
 Tunnel mode: Authentication applies to entire
IP packet delivered to outer destination (ex.
Firewall), entire inner IP packet protected by
privacy to the inner IP destination
 In both cases, authentication applies to
ciphertext not plaintext.

Question 28

Basic Combinations of SAs

 Host-to-host: mode may be………….. or ……………

Security gateway: mode must be …………………

Answer 28

Each SA can be AH or ESP
 Host-to-host: mode may be transport or tunnel
 Security gateway: mode must be tunnel

Question 29

Slide 45

Answer 29

TRUE

Question 30

Key Management may be ……….. or ……………

Answer 30

 Manual:
• Admin manually configures systems with keys
• Practical for small static environments
 Automated:
• Oakley Key Determination Protocol
• Internet Security Association and Key Management Protocol
(ISAKMP

Question 31

Internet Security Association and Key
Management Protocol (ISAKMP)

Answer 31

 Provides a framework for Internet Key
management
 Provides specific protocol support including
formats for negotiation of security attributes
 Does Not dictate a specific algorithm
 Consists of a set of message types that enable
the use of different key exchange algorithms
 Defines procedures and packet formats to
establish, negotiate, modify and delete security
associations

Question 32

IPsec: Implementation Issues (1)

Answer 32

 IPsec protocol complex and configuration complicated
 IPsec is available for all major operating systems
 Needs key management protocols (IKE)
 Causes conflict with other protocols/mechanisms

Question 33

Summary IPsec

Answer 33

IPsec: Summary
 IKE message exchange for algorithms, secret keys,
SPI numbers
 Either the AH or the ESP protocol
 The AH protocol provides integrity and source
authentication
 The ESP protocol (with AH) additionally provides
encryption
 IPsec peers can be two end systems, two
routers/firewalls, or a router/firewall and an end
system

Question 34

IPsec and NAT: The Problem

Answer 34

Need Based NAT Traversal

with IPsec over TCP or UDP

Question 35

Important IPsec Concepts

Before sending data, a ………. is established from
sending to receiving entity:

This connection is ………………. connection and is based on …………..

Answer 35

virtual connection

Simplex (unidirectional)

security mechanisms (cryptographic algorithm, shared keys)

Question 36

Security Parameters Index (SPI)

Answer 36

A bit string assigned to an SA (IPsec) that enables receiving system to
select under which a received packet will be processed

Question 37

……… and ………. protocol supports two modes of use:
………… mode and …………..mode.

Answer 37

AH
ESP
Transport
Tunnel

Question 38

Transport mode Provide protection primarily for ……. and it is used in ……… communication between hosts

Answer 38

upper layer protocols

end-to-end

Question 39

tunnel mode is applied to ………… and used when one or both ends of an SA are………………

Answer 39

tunnel IP packets

security gateways (Firewalls, routers)