Which three statements about the IPsec ESP modes of operation are true? (Choose three.)
A. Tunnel mode is used between a host and a security gateway.
B. Tunnel mode is used between two security gateways.
C. Tunnel mode only encrypts and authenticates the data.
D. Transport mode authenticates the IP header.
E. Transport mode leaves the original IP header in the clear.
Explanation/Reference:
Explanation:
http://www.cisco.com/en/US/docs/net_mgmt/vpn_solutions_center/2.0/ip_security/provisioning/gu ide/IPsecPG1.html
The Encapsulating Security Payload (ESP)
The Encapsulating Security Payload (ESP) contains six parts as described below. The first two parts are not encrypted, but they are authenticated.
Those parts are as follows:
The Security Parameter Index (SPI) is an arbitrary 32-bit number that tells the device receiving the packet what group of security protocols the sender is using for communication. Those
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
protocols include the particular algorithms and keys, and how long those keys are valid. The Sequence Number is a counter that is incremented by 1 each time a packet is sent to the same address and uses the same SPI. The sequence number indicates which packet is which, and how many packets have been sent with the same group of parameters. The sequence number also protects against replay attacks.
Replay attacks involve an attacker who copies a packet and sends it out of sequence to confuse communicating devices.
The remaining four parts of the ESP are all encrypted during transmission across the network.
Those parts are as follows:
The Payload Data is the actual data that is carried by the packet. he Padding, from 0 to 255 bytes of data, allows certain types of encryption algorithms to require the data to be a multiple of a certain number of bytes. The padding also ensures that the text of a message terminates on a four-byte boundary (an architectural requirement within IP). The Pad Length field specifies how much of the payload is padding rather than data. The Next Header field, like a standard IP Next Header field, identifies the type of data carried and the protocol.
The ESP is added after a standard IP header. Because the packet has a standard IP header, the network can route it with standard IP devices. As a result, IPsec is backwards-compatible with IP routers and other equipment even if that equipment isn’t designed to use IPsec. ESP can support any number of encryption protocols. It’s up to the user to decide which ones to use. Different protocols can be used for every person a user communicates with. However, IPsec specifies a basic DES-Cipher Block Chaining mode (CBC) cipher as the default to ensure minimal interoperability among IPsec networks. ESP’s encryption capability is designed for symmetric encryption algorithms. IPsec employs asymmetric algorithms for such specialized purposes as negotiating keys for symmetric encryption.
Tunneling with ESP
Tunneling takes an original IP packet header and encapsulates it within the ESP. Then, it adds a new IP header containing the address of a gateway device to the packet. Tunneling allows a user to send illegal IP addresses through a public network (like the Internet) that otherwise would not accept them. Tunneling with ESP offers the advantage of hiding original source and destination addresses from users on the public network. Hiding these addresses reduces the power of traffic analysis attacks. A traffic analysis attack employs network monitoring techniques to determine how much data and what type of data is being communicated between two users.