Deck 9: Ip Security

Transport mode provides protection to the entire IP packet.

The Security Parameters Index identifies a security association.

The default automated key management protocol for IPsec is referred to as ISAKMP/Oakley.

The Payload Data Field is designed to deter replay attacks.

IPsec is executed on a packet-by-packet basis.

IPSec can guarantee that all traffic designated by the network administrator is authenticated but cannot guarantee that it is encrypted.

Both tunnel and transport modes can be accommodated by the encapsulating security payload encryption format.

The principal feature of IPsec is that it can encrypt and/or authenticate all traffic at the IP level.

Authentication must be applied to the entire original IP packet.

By implementing security at the IP level an organization can ensure secure networking not only for applications that have security mechanisms but also for the many security ignorant applications.

An individual SA can implement both the AH and the ESP protocol.

Any traffic from the local host to a remote host for purposes of an IKE exchange bypasses the IPsec processing.

Additional padding may be added to provide partial traffic flow confidentiality by concealing the actual length of the payload.

IP security is a capability that can be added to either current version of the Internet Protocol by means of additional headers.

The __________ facility is concerned with the secure exchange of keys.

A security association is uniquely identified by three parameters: Security Protocol Identifier, IP Destination Address, and ________ .

A __________ attack is one in which an attacker obtains a copy of an authenticated packet and later transmits it to the intended destination.

IPsec encompasses three functional areas: authentication, key management, and __________ .

Authentication makes use of the _________ message authentication code.

IPsec policy is determined primarily by the interaction of two databases: The security policy database and the __________ .

IPsec provides security services at the ________ layer by enabling a system to select required security protocols, determine the algorithms to use for the services and put in place any cryptographic keys required to provide the requested services.

_________ can be used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service, and traffic flow confidentiality.

_________ mode is used when one or both ends of an SA are a security gateway, such as a firewall or router that implements IPsec.

Confidentiality is provided by an encryption format known as __________ .

The term _________ refers to a sequence of SAs through which traffic must be processed to provide a desired set of IPsec services.

At any point in an IKE exchange the sender may include a _________ payload to request the certificate of the other communicating entity.

Three different authentication methods can be used with IKE key determination: Public key encryption, symmetric key encryption, and _________ .

The selectors that determine a Security Policy Database are: Name, Local and Remote Ports, Next Layer Protocol, Remote IP Address, and _________ .

Generic in that it does not dictate specific formats, the _________ is a key exchange protocol based on the Diffie-Hellman algorithm with added security.