Which three statements about the IPsec ESP modes of operation are true? (Choose three.)
A.
Tunnel mode is used between a host and a security gateway.
B.
Tunnel mode is used between two security gateways.
C.
Tunnel mode only encrypts and authenticates the data.
D.
Transport mode authenticates the IP header.
E.
Transport mode leaves the original IP header in the clear.
Explanation:
http://www.cisco.com/en/US/docs/net_mgmt/vpn_solutions_center/2.0/ip_security/provisioning/g
uide/IPsecPG1.html
The Encapsulating Security Payload (ESP)
The Encapsulating Security Payload (ESP) contains six parts as described below. The first two parts
are not encrypted, but they are authenticated. Those parts are as follows:
•The Security Parameter Index (SPI) is an arbitrary 32-bit number that tells the device receiving the
packet what group of security protocols the sender is using for communication. Those protocols
include the particular algorithms and keys, and how long those keys are valid.
•The Sequence Number is a counter that is incremented by 1 each time a packet is sent to the same
address and uses the same SPI. The sequence number indicates which packet is which, and howmany packets have been sent with the same group of parameters. The sequence number also
protects against replay attacks.
Replay attacks involve an attacker who copies a packet and sends it out of sequence to confuse
communicating devices.
The remaining four parts of the ESP are all encrypted during transmission across the network. Those
parts are as follows:
•The Payload Data is the actual data that is carried by the packet.
•The Padding, from 0 to 255 bytes of data, allows certain types of encryption algorithms to require
the data to be a multiple of a certain number of bytes. The padding also ensures that the text of a
message terminates on a four-byte boundary (an architectural requirement within IP).
•The Pad Length field specifies how much of the payload is padding rather than data.
•The Next Header field, like a standard IP Next Header field, identifies the type of data carried and
the protocol.
The ESP is added after a standard IP header. Because the packet has a standard IP header, the
network can route it with standard IP devices. As a result, IPsec is backwards-compatible with IP
routers and other equipment even if that equipment isn’t designed to use IPsec. ESP can support any
number of encryption protocols. It’s up to the user to decide which ones to use. Different protocols
can be used for every person a user communicates with. However, IPsec specifies a basic DES-Cipher
Block Chaining mode (CBC) cipher as the default to ensure minimal interoperability among IPsec
networks. ESP’s encryption capability is designed for symmetric encryption algorithms. IPsec
employs asymmetric algorithms for such specialized purposes as
negotiating keys for symmetric encryption.
Tunneling with ESP
Tunneling takes an original IP packet header and encapsulates it within the ESP. Then, it adds a new
IP header containing the address of a gateway device to the packet. Tunneling allows a user to send
illegal IP addresses through a public network (like the Internet) that otherwise would not accept
them. Tunneling with ESP offers the advantage of hiding original source and destination addresses
from users on the public network. Hiding these addresses reduces the power of traffic analysis
attacks. A traffic analysis attack employs network monitoring techniques to determine how much
data and what type of data is being communicated between two users.