Term
| What are the 3 main protocols used by IPsec? |
|
Definition
- Internet Key Exchange (IKE) - Encapsulating Security Payload (ESP) - Authentication Header (AH) |
|
|
Term
| Describe the general use of Internet Key Exchange (IKE) in IPsec. |
|
Definition
| Internet Key Exchange (IKE) is a framework for the negotiation and exchange of security parameters and authentication keys. IKE also exchanges keys used for the symmetrical encryption algorithms within an IPsec VPN. |
|
|
Term
| Describe the general use of Encapsulating Security Payload (ESP) with IPsec. |
|
Definition
| Encapsulating Security Payload (ESP) provides the framework for the data confidentiality, data integrity, data origin authentication, and optional anti-replay features of IPsec. |
|
|
Term
| What are the 3 encryption methods available to IPsec Encapsulating Security Payload (ESP)? |
|
Definition
- Data Encryption Standard (DES) - Triple Data Encryption Standard (3DES) - Advanced Encryption Standard (AES) |
|
|
Term
| Describe the general use of Authentication Header (AH) with IPsec. |
|
Definition
| Authentication Header (AH) provides the framework for the data integrity, data origin authentication, and optional anti-replay features of IPsec. Note that AH ensures that the data has not been modified or tampered with, but does not hide the data from inquisitive eyes during transit. |
|
|
Term
| What do both Encapsulating Security Payload (ESP) and Authentication Header (AH) use as the authentication and integrity check? |
|
Definition
| Both AH and ESP use a Hash-based Message Authentication Code (HMAC) as the authentication and integrity check. The hash algorithms in IPsec will be either Message Digest 5 (MD5) or Secure Hash Algorithm (SHA-1) |
|
|
Term
| Describe the 2 different modes that IPsec can operate in. |
|
Definition
- Transport mode - In transport mode, the IPsec headers are simply inserted in an IP packet (after the IP header). Here, the original IP header is exposed and unprotected. So it protects at the transport layer and higher. - Tunnel mode - In tunnel mode, the actual IP addresses of the original IP header, along with all the data within the packet, are protected. Tunnel mode creates a new external IP header that contains the IP addresses of the tunnel endpoints only. |
|
|
Term
| What is the general use of Internet Key Exchange (IKE) with IPsec? |
|
Definition
| IKE is used to dynamically exchange IPsec parameters and keys. It helps to automatically establish security associations (SAs) between 2 IPsec endpoints. An SA is an agreement of IPsec parameters between 2 peers. |
|
|
Term
| Describe how the Internet Security Association and Key Management Protocol (ISAKMP) is used with Internet Key Exchange (IKE). |
|
Definition
| ISAKMP defines procedures on how to establish, negotiate, modify, and delete security associations (SAs). All parameter negotiation is handled through ISAKMP, such as header authentication and payload encapsulation. ISAKMP preforms peer authentication, but it does not involved key exchange. |
|
|
Term
| Describe how the Oakley protocol is used by Internet Key Exchange (IKE). |
|
Definition
| The Oakley protocol is used to manage key exchanges across IPsec security associations (SAs). The Diffie-Hellman algorithm used is a cryptographic protocol that permits 2 end points to exchange a shared secret over an insecure channel. |
|
|
Term
| Describe the 2 phases used to create a secure communication channel between 2 IPsec endpoints. |
|
Definition
- IKE phase 1 establishes a bidirectional SA between IPsec peers. This means that data sent between the end devices uses the same key material. This consists of parameter negotiations, such as hash methods and transform sets. - IKE phase 2 implements unidirectional SAs between the IPsec endpoints using the patameters agreed upon in phase 1. The use of unidirectional SAs means that separate keying material is needed for each direction. |
|
|
Term
| Describe the optional phase used by Internet Key Exchange (IKE) and what it's used for. |
|
Definition
| IKE phase 1.5 provides an additional layer of authentication, called Xauth. Xauth forces the user to authenticate before use of the IPsec connection is granted. |
|
|
Term
| What Internet Key Exchange (IKE) modes are used during each of the IKE phases? |
|
Definition
| IKE phase 1 can use either main or aggresive mode. Phase 2 will always use quick mode. |
|
|
Term
| Describe how Internet Key Exchange's (IKE) main mode works during the first phase of establishing a peer connection. |
|
Definition
IKE main mode consists of 6 messages being exchanged between peers: - IPsec paramters and security policy - The initiator sends one or more proposals, and the responder selects the appropriate one - Diffie-Hellman public key exchange - Public keys are sent between the 2 IPsec endpoints. - ISAKMP session authentication - Each end is authenticated by the other. |
|
|
Term
| Describe how Internet Key Exchange's (IKE) aggresive mode works during the first phase of establishing a peer connection. |
|
Definition
Aggresive mode is an abbreviated version of main mode. The 6 packets of main mode are condensed into three: - The initiator sends all data, including IPsec parameters, security policies, and Diffie-Hellman public keys. - The responder authenticates the packet and sends the parameter proposal, key material, and identification back. - The initiator authenticates the packet. |
|
|
Term
| Describe how Internet Key Exchange's (IKE) quick mode works during the second phase of establishing a peer connection. |
|
Definition
| The negotiation of quick mode is protected by the IKE SA negotiated in phase 1. Quick mode negotiates the SAs used for data encryption across the IP sec connection. It also manages the key exchange for those SAs. |
|
|
Term
| Describe how the dead peer detection (DPD) function works with Internet Key Exchange (IKE). |
|
Definition
| Dead peer detection (DPD) is done by sending periodic keepalives (or hello) timers between IPsec peers. But to be effective, the timer should be set low, like 10 seconds, to be fully effective. |
|
|
Term
| How does the NAT traversal function work in Internet Key Exchange (IKE). |
|
Definition
| NAT traversal solves the problem of NAT/PAT at L3. During phases one and two, it is determined if NAT is supported and exists. Then, UDP header is inserted before the ESP header in the IPsec packet. This new transport layer header has unencrypted port information that can be stored in PAT tables, and thus the PAT translation process can successfully occur. |
|
|
Term
| How does the Mode Configuration function work with Internet Key Exchange (IKE)? |
|
Definition
| IKE mode configuration is simply a means of pushing all the IPsec attributes out to the remote IPsec client. Such attributes include the IP address to be used for the IPsec connection, and the DNS and NetBIOS name servers to be used across the IPsec connection. |
|
|
Term
| How does the Xauth function work with Internet Key Exchange (IKE)? |
|
Definition
| IKE extended authentication (Xauth) is a way to authenticate a user of an IPsec connection. It adds an additional layer of authentication that a user must validate by means of a username/password, CHAP, one-time password (OTP), or secure key (S/key) |
|
|
Term
| Describe how symmetric encryption works in an IPsec environment. |
|
Definition
| Symmetric encryption uses a single, secret key that is used to both encrypt and decrypt the data. DES, 3DES, and AES are examples of symmetric encryption. |
|
|
Term
| Describe how Internet Key exchange (IKE) uses asymmetric encryption. |
|
Definition
| Asymmetric encryption algorithms use different keys for encryption and decryption. The encryption key is called the public key, while the decryption key is called the private key. |
|
|
