Protocol or Function Description
IKE
Internet Key Exchange
is a general term used to define how keys are
exchanged and tunnels are authenticated. It is defined in RFC 2409,
which is recommended reading for anyone deploying IPSec VPNs.
3DES Triple Data Encryption Standard performs three DES hash processes
with three keys in sequence to encrypt data. DES (Data Encryption
Standard) performs a single hash process.
AES Advanced Encryption Standard will likely replace DES and 3DES
because the processing power required for AES is significantly lower
than that for 3DES.
AH The
Authentication Header
option ensures authenticity and data integrity,
but it does not encrypt the payload—thus the name reference to
“authenticating the header.” It is defined in RFC 2402.
Tunnel mode
Tunnel mode
protects the entire IP packet—including the original
header—and appends a new 20-byte IP header. Tunnel mode must be
used for VPN applications involving hosts behind the IPSec peers,
which is the most common configuration.
Transport mode
Transport mode
protects only the IP payload via encryption, and the
original header information is left unencrypted.
ESP
Encapsulating Security Payload
protects the data within the datagram,
but does nothing to the header. It is defined in RFC 2406 and is best
remembered via the term
payload
in its title.
Because IPSec is the leading VPN technology, we will spend a moment discussing the
configuration of this technology; however, please note that the current exam does not
include configuration in scope.
The primary functions of IPSec address four key areas of concern for most data transmissions:
The confidential transmission of the data. This is provided by the encryption of the payload
as it crosses the network and is important to prevent confidential data compromises.
The integrity of the data. Receivers in IPSec can validate that the payload has not been
altered in transmission.
The authentication of the transmission source. IPSec receivers can authenticate the source
of the packets to validate that they are from a trusted source.
Protection from replay. The IPSec functions can support detection and rejection of packets
that are replayed. This function is useful in preventing the retransmission of a packet containing
a password for later authentication.