You are planning the configuration of an IPsec-protected connection between two routers. You are concerned
only with the integrity of the data that passes between the routers. You are less concerned with the
confidentiality of the data, and you would like to minimize the effect of IPsec on the data throughput.
Which protocol option should you choose?
A.
Authentication Header (AH) in tunnel mode
B.
Authentication Header (AH) in transport mode
C.
Encapsulating Security Payload (ESP) in tunnel mode
D.
Encapsulating Security Payload (ESP) in transport mode
Explanation:
You should choose Authentication Header (AH) in tunnel mode to meet the scenario requirements. Two
protocols can be used to build tunnels and protect data traveling across the tunnel:
Authentication Header (AH) uses protocol 51.
ESP uses protocol 50.
AH is defined in Request for Comments (RFC) 1826 and 2402. AH does not perform data encryption, and
therefore information is passed as clear text. The purpose of AH is to provide data integrity and authentication,
and optionally to provide anti-reply service. It ensures that a packet that crosses the tunnel is the same packet
that left the peer device and no changes have been made. It uses a keyed hash to accomplish this.
ESP is defined in RFC 2406. ESP can provide data integrity and authentication, but its primary purpose is to
encrypt data crossing the tunnel. On Cisco devices, ESP supports encryption using Advanced Encryption
Standard (AES), Data Encryption Standard (DES), or Triple DES (3DES). Tunnel mode is used between Virtual
Private Network (VPN) gateways such as routers, firewalls, and VPN concentrators.
You would not choose Authentication Header (AH) in transport mode. Transport mode is used between end
stations or between an end station and a VPN gateway.
You would not choose Encapsulating Security Payload (ESP) in tunnel mode or transport mode. Using ESP will
slow the connection because of the encryption and decryption process that will occur with each packet.
Objective:
WAN Technologies
Sub-Objective:
Describe WAN access connectivity optionsCisco > Articles > Network Technology > General Networking > IPsec Overview Part Two: Modes and
Transforms
Cisco > The Internet Protocol Journal > The Internet Protocol Journal – Volume 3, No. 1, March 2000 > IP
SecurityCCNA ICND2 Official Exam Certification Guide (Cisco Press, ISBN 1-58720-181-X), Chapter 15: Virtual Private
Networks, pp. 536-537.