IPsec
DH group number _ at ____ bits of key strength is the most compatible DH group number.
2, 1024
Encapsulating Security Payload is included in RFC ____, ____ et. al.
2460, 4303
Transport mode is used to secure any layer _ or above protocol set.
4
Authentication Header protocol was established with RFC ____.
4301
ESP is included in IP Protocol __
50
IKE runs on TCP Port ___
500
AH in included in IP Protocol __.
51
Tunnel mode is utilized for the creation of ___ connections.
VPN
PFS is more _____ but _____ establishing a connection
secure, slower
In cryptography, a _______ __________ is a one way set of security information used to facilitate a logical connection between nodes
security association
Without PFS, the IPsec SA ______ ___ is derived from the IKE phase 1 key
session key
AH ensures a packet is not _______ or _______.
spoofed, munged
Both nodes must agree on the _______ of interest
traffic
Perfect Forward Security (PFS) performs a new DH _________ to create the IPsec SA session key
transaction
An IPsec ________ defines the set of cryptographic tools used by IPsec
transform
PIX/ASA implementations of IPsec refer to crypto tools as _______ ____
transform sets
___ security associations are required for duplex communication.
two
The two modes of IPsec operation are __________ and ______
Transport, Tunnel
IPsec reduces the need for __________ layer security
Application
The two protocols utilized in IPsec are the ____________ _______ protocol, and the ____________ _______ _______.
Authentication Header, Encapsulating Security Payload
IPsec supports many block ciphers using ______ _____ _______ (CBC)
Cipher Block Chaining
Negotiated cryptographic key length is determined by __ _____ _____
DH group number
Transforms that can be performed in IPsec include ___/__, ______ with key, and ___ with key
ESP/AH, Cipher, MAC
T/F ESP is the equivalent of adding encryption to AH
F
T/F A security association is a two way set of security information used to facilitate a logical connection between nodes.
F (One way)
T/F IPsec security associations are usually manually configured
F (Rarely done, as it is less secure than automatic)
T/F Main mode protects the identities of peers during negotiation, but is inflexible in implementation
F (actually allows greater flexibility)
T/F IPsec does not require the communication endpoint to be the cryptographic endpoint.
F (comm endpoint must be cryptographic endpoint)
T/F IPsec does not support filtering
F (it does)
T/F All systems support all DH groups.
F (not all systems support all groups)
T/F ESP allows implementation of authentication and encryption, but neither have to be enabled when configuring IPsec.
F (one must be specified, otherwise why enable it to begin with)
T/F The authentication header can be used for encryption of network traffic.
F (only authentication)
T/F IPsec will filter all traffic across the network at all times.
F (some traffic is handled natively by IP/TCP/UDP, etc)
T/F Even when using Authentication Headers, the source address could be spoofed.
F (theoretically the source address cannot be spoofed)
Main or Aggressive Mode applies to ___ ____ _ negotiations
IKE phase 1
IKE is the _______ protocol used for IPsec
ISAKMP
IKE stands for
Internet Key Exchange
ISAKMP stands for
Internet Security Association Key management protocol
____ mode is preferred for maximum security in IKE phase 1 negotiations.
Main
ISAKMP dynamically creates __ and ______ keys
SA, exchange
The _______ ________ _____ is a unique 32 bit value identifying each individual data flow.
Security Parameter Index
T/F Aggressive mode is faster to negotiate than Main mode
T
T/F An IPsec transform defines the set of cryptographic tools and traffic used by IPsec
T
T/F Authentication Headers provide an anti-replay service with optional sequence numbers.
T
T/F Before two nodes can communicate securely, they must sort out their security associations
T
T/F Both nodes must agree on the path MTU.
T
T/F Both transport and tunnel mode can work with AH and ESP.
T
T/F IKE uses the Oakley Key Agreement Protocol for keying, which uses Diffie-Hellman Key-exchange algorithms.
T
T/F IPsec AH and ESP can be used simultaneously.
T
T/F IPsec can provide a layer of security to inherently insecure application layer protocols.
T
T/F In IKE phase 1 the nodes authenticate each other and establish a secure channel for phase 2
T
T/F In IKE phase 2 and IPsec security association is negotiated
T
T/F Transport mode can be used with virtually all application layer protocols
T
T/F Tunnel mode requires an entire IP packet to be encapsulated into the IPsec data field.
T
ESP provides for ___________ and/or _________
authentication, encryption
A Security Association contains cryptographic information, including __________, _________ information, and ___ information
authenticators, Encryption, MAC
AH provides authentication of the entire IPv4 _______
datagram
Authentication Headers doe not ______ data.
encrypt
Transport mode is used to protect standard application layer data during transmission across an _______ network.
insecure
IPsec security associations are configured automatically via a ___ _______ ______
key exchange protocol
IPsec runs at a ___ layer of the operating system
low
IKE phase 2 _________ the IPsec SA, then derives a key from the _____ _ key and assigns a unique ___ to identify traffic
negotiates, phase 1, SPI
IPsec adds security to the IPv4 or IPv6 ________ layer
network
IKE Phase 1 involves an authentication of the _____, a shared session ___ and finally an IKE __ with a secure channel for phase 2.
nodes, key, SA
