Term
What are the 3 main protocols used by IPsec? |
|
Definition
- Internet Key Exchange (IKE) - Encapsulating Security Payload (ESP) - Authentication Header (AH) |
|
|
Term
Describe the general use of Internet Key Exchange (IKE) in IPsec. |
|
Definition
Internet Key Exchange (IKE) is a framework for the negotiation and exchange of security parameters and authentication keys. IKE also exchanges keys used for the symmetrical encryption algorithms within an IPsec VPN. |
|
|
Term
Describe the general use of Encapsulating Security Payload (ESP) with IPsec. |
|
Definition
Encapsulating Security Payload (ESP) provides the framework for the data confidentiality, data integrity, data origin authentication, and optional anti-replay features of IPsec. |
|
|
Term
What are the 3 encryption methods available to IPsec Encapsulating Security Payload (ESP)? |
|
Definition
- Data Encryption Standard (DES) - Triple Data Encryption Standard (3DES) - Advanced Encryption Standard (AES) |
|
|
Term
Describe the general use of Authentication Header (AH) with IPsec. |
|
Definition
Authentication Header (AH) provides the framework for the data integrity, data origin authentication, and optional anti-replay features of IPsec. Note that AH ensures that the data has not been modified or tampered with, but does not hide the data from inquisitive eyes during transit. |
|
|
Term
What do both Encapsulating Security Payload (ESP) and Authentication Header (AH) use as the authentication and integrity check? |
|
Definition
Both AH and ESP use a Hash-based Message Authentication Code (HMAC) as the authentication and integrity check. The hash algorithms in IPsec will be either Message Digest 5 (MD5) or Secure Hash Algorithm (SHA-1) |
|
|
Term
Describe the 2 different modes that IPsec can operate in. |
|
Definition
- Transport mode - In transport mode, the IPsec headers are simply inserted in an IP packet (after the IP header). Here, the original IP header is exposed and unprotected. So it protects at the transport layer and higher. - Tunnel mode - In tunnel mode, the actual IP addresses of the original IP header, along with all the data within the packet, are protected. Tunnel mode creates a new external IP header that contains the IP addresses of the tunnel endpoints only. |
|
|
Term
What is the general use of Internet Key Exchange (IKE) with IPsec? |
|
Definition
IKE is used to dynamically exchange IPsec parameters and keys. It helps to automatically establish security associations (SAs) between 2 IPsec endpoints. An SA is an agreement of IPsec parameters between 2 peers. |
|
|
Term
Describe how the Internet Security Association and Key Management Protocol (ISAKMP) is used with Internet Key Exchange (IKE). |
|
Definition
ISAKMP defines procedures on how to establish, negotiate, modify, and delete security associations (SAs). All parameter negotiation is handled through ISAKMP, such as header authentication and payload encapsulation. ISAKMP preforms peer authentication, but it does not involved key exchange. |
|
|
Term
Describe how the Oakley protocol is used by Internet Key Exchange (IKE). |
|
Definition
The Oakley protocol is used to manage key exchanges across IPsec security associations (SAs). The Diffie-Hellman algorithm used is a cryptographic protocol that permits 2 end points to exchange a shared secret over an insecure channel. |
|
|
Term
Describe the 2 phases used to create a secure communication channel between 2 IPsec endpoints. |
|
Definition
- IKE phase 1 establishes a bidirectional SA between IPsec peers. This means that data sent between the end devices uses the same key material. This consists of parameter negotiations, such as hash methods and transform sets. - IKE phase 2 implements unidirectional SAs between the IPsec endpoints using the patameters agreed upon in phase 1. The use of unidirectional SAs means that separate keying material is needed for each direction. |
|
|
Term
Describe the optional phase used by Internet Key Exchange (IKE) and what it's used for. |
|
Definition
IKE phase 1.5 provides an additional layer of authentication, called Xauth. Xauth forces the user to authenticate before use of the IPsec connection is granted. |
|
|
Term
What Internet Key Exchange (IKE) modes are used during each of the IKE phases? |
|
Definition
IKE phase 1 can use either main or aggresive mode. Phase 2 will always use quick mode. |
|
|
Term
Describe how Internet Key Exchange's (IKE) main mode works during the first phase of establishing a peer connection. |
|
Definition
IKE main mode consists of 6 messages being exchanged between peers: - IPsec paramters and security policy - The initiator sends one or more proposals, and the responder selects the appropriate one - Diffie-Hellman public key exchange - Public keys are sent between the 2 IPsec endpoints. - ISAKMP session authentication - Each end is authenticated by the other. |
|
|
Term
Describe how Internet Key Exchange's (IKE) aggresive mode works during the first phase of establishing a peer connection. |
|
Definition
Aggresive mode is an abbreviated version of main mode. The 6 packets of main mode are condensed into three: - The initiator sends all data, including IPsec parameters, security policies, and Diffie-Hellman public keys. - The responder authenticates the packet and sends the parameter proposal, key material, and identification back. - The initiator authenticates the packet. |
|
|
Term
Describe how Internet Key Exchange's (IKE) quick mode works during the second phase of establishing a peer connection. |
|
Definition
The negotiation of quick mode is protected by the IKE SA negotiated in phase 1. Quick mode negotiates the SAs used for data encryption across the IP sec connection. It also manages the key exchange for those SAs. |
|
|
Term
Describe how the dead peer detection (DPD) function works with Internet Key Exchange (IKE). |
|
Definition
Dead peer detection (DPD) is done by sending periodic keepalives (or hello) timers between IPsec peers. But to be effective, the timer should be set low, like 10 seconds, to be fully effective. |
|
|
Term
How does the NAT traversal function work in Internet Key Exchange (IKE). |
|
Definition
NAT traversal solves the problem of NAT/PAT at L3. During phases one and two, it is determined if NAT is supported and exists. Then, UDP header is inserted before the ESP header in the IPsec packet. This new transport layer header has unencrypted port information that can be stored in PAT tables, and thus the PAT translation process can successfully occur. |
|
|
Term
How does the Mode Configuration function work with Internet Key Exchange (IKE)? |
|
Definition
IKE mode configuration is simply a means of pushing all the IPsec attributes out to the remote IPsec client. Such attributes include the IP address to be used for the IPsec connection, and the DNS and NetBIOS name servers to be used across the IPsec connection. |
|
|
Term
How does the Xauth function work with Internet Key Exchange (IKE)? |
|
Definition
IKE extended authentication (Xauth) is a way to authenticate a user of an IPsec connection. It adds an additional layer of authentication that a user must validate by means of a username/password, CHAP, one-time password (OTP), or secure key (S/key) |
|
|
Term
Describe how symmetric encryption works in an IPsec environment. |
|
Definition
Symmetric encryption uses a single, secret key that is used to both encrypt and decrypt the data. DES, 3DES, and AES are examples of symmetric encryption. |
|
|
Term
Describe how Internet Key exchange (IKE) uses asymmetric encryption. |
|
Definition
Asymmetric encryption algorithms use different keys for encryption and decryption. The encryption key is called the public key, while the decryption key is called the private key. |
|
|