Deck 20: Ip Security

Additional padding may be added to provide partial traffic-flow
confidentiality by concealing the actual length of the payload.

An end user whose system is equipped with IP security protocols
can make a local call to an ISP and gain secure access to a company
network.

the Payload Data Field is designed to deter replay attacks.
14.the Security Parameters Index identifies a security association.

the default automated key management protocol for IPsec is
referred to as ISAKMP/Oakley.

Any traffic from the local host to a remote host for purposes of an
IKE exchange bypasses the IPsec processing.

transport mode provides protection to the entire IP packet.

the principal feature of IPsec is that it can encrypt and/or
authenticate all traffic at the IP level.

transport adjacency refers to applying more than one security
protocol to the same IP packet without invoking tunneling.

IPsec is executed on a packet-by-packet basis.

Authentication must be applied to the entire original IP packet.

An individual SA can implement both the AH and the ESP protocol.

By implementing security at the IP level, an organization can
ensure secure networking not only for applications that have security mechanisms but also for the many security-ignorant applications.

Both tunnel and transport modes can be accommodated by the
encapsulating security payload encryption format.

_________ can be used to provide access control, confidentiality, data origin
authentication, connectionless integrity, rejection of replayed packets, and limited traffic flow confidentiality.

_________ mode is used when one or both ends of an SA are a security gateway,
such as a firewall or router that implements IPsec.

the __________ facility is concerned with the secure exchange of keys.

A security association is uniquely identified by three parameters: Security
Protocol Identifier, IP Destination Address, and ________ .

the __________ exchange requires that each side send a pseudorandom number in
the initial message, which the other side acknowledges.

__________ can be used to secure communication with other organizations,
ensuring authentication and confidentiality and providing a key exchange mechanism.

IPsec provides security services at the ________ layer by enabling a system to
select required security protocols, determine the algorithms to use for the
services and put in place any cryptographic keys required to provide the
requested services.

IPsec policy is determined primarily by the interaction of two databases: the
security policy database and the __________ .

A __________ attack is one in which an attacker obtains a copy of an authenticated
packet and later transmits it to the intended destination.

Confidentiality is a service provided by an encryption format known as __________ .

IPsec encompasses three functional areas: authentication, key management, and
__________ .

the term _________ refers to a sequence of SAs through which traffic must be
processed to provide a desired set of IPsec services.

Generic in that it does not dictate specific formats, the _________ is a key exchange
protocol based on the Diffie-Hellman algorithm with added security.

three different authentication methods can be used with IKE key determination:
Public key encryption, symmetric key encryption, and _________ .

At any point in an IKE exchange the sender may include a _________ payload to
request the certificate of the other communicating entity.