PrepAway - Latest Free Exam Questions & Answers

Which of the items below would affects the use of AH an…

While using IPsec, the ESP and AH protocols both provide integrity services. However, when using AH, somespecial attention needs to be paid if one of the peers uses NAT for address translation service. Which of the
items below would affects the use of AH and it´s Integrity Check Value (ICV) the MOST?

PrepAway - Latest Free Exam Questions & Answers

A.
Key session exchange

B.
Packet Header Source or Destination address

C.
VPN cryptographic key size

D.
Cryptographic algorithm used

Explanation:
AH provides authentication and integrity, and ESP can provide those two functions and confidentiality. Why
even bother with AH then? In most cases, the reason has to do with whether the environment is using network
address translation (NAT). IPSec will generate an integrity check value (ICV), which is really the same thing as
a MAC value, over a portion of the packet. Remember that the sender and receiver generate their own integrity
values. In IPSec, it is called an ICV value. The receiver compares her ICV value with the one sent by the
sender. If the values match, the receiver can be assured the packet has not been modified during transmission.
If the values are different, the packet has been altered and the receiver discards the packet.
The AH protocol calculates this ICV over the data payload, transport, and network headers. If the packet then
goes through a NAT device, the NAT device changes the IP address of the packet. That is its job. This means
a portion of the data (network header) that was included to calculate the ICV value has now changed, and the
receiver will generate an ICV value that is different from the one sent with the packet, which means the packet
will be discarded automatically. The ESP protocol follows similar steps, except it does not include the network
header portion when calculating its ICV value. When the NAT device changes the IP address, it will not affect
the receiver’s ICV value because it does not include the network header when calculating the ICV.
Incorrect Answers:
A: The key session exchange does not affect the use of AH and it´s Integrity Check Value.
C: The VPN cryptographic key size does not affect the use of AH and it´s Integrity Check Value.
D: The crypotographic algorithm used does not affect the use of AH and it´s Integrity Check Value.
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 862-863


Leave a Reply