3 Mark Questions

1. What is IPsec and what are its main goals?

Ans: IPsec, or Internet Protocol Security, is a suite of protocols that provides security at the
network layer by authenticating and encrypting IP packets. Its main goals are confidentiality,
data integrity, source authentication, and replay protection​

2. Describe the purpose of Security Associations in IPsec?

Ans: A Security Association (SA) is a unidirectional connection established between network

entities in IPsec to secure data transfer. It includes the security parameters, such as
encryption algorithms and keys, necessary for communication​

3. What is Encapsulation Security Payload (ESP) in IPsec, and what does it provide?

Ans: ESP is a protocol within IPsec that provides encryption, source authentication, and data
integrity. It encapsulates the payload, protecting it against unauthorised access​

4. Differentiate between IPsec Transport Mode and Tunnel Mode?

Ans: In Transport Mode, only the IP payload is encrypted, leaving the IP header unchanged.
In Tunnel Mode, the entire IP packet, including the header, is encrypted, making it ideal for
VPNs and secure gateway-to-gateway communications

5. What is a Virtual Private Network (VPN) and how does IPsec support it?

Ans: A VPN is a secure network created over a public network. IPsec supports VPNs by
encrypting the data exchanged over the public network, enabling private, secure
communication as though over a dedicated network​

14 Mark Questions

1. Explain in detail the IPsec protocol suite and the functionalities of AH and ESP
protocols.

Ans: The IPsec protocol suite secures IP communications by authenticating and encrypting
each IP packet in a data stream. It operates at the network layer, providing comprehensive
security for IP communications by supporting two primary protocols:
 ● Authentication Header (AH): AH provides data integrity and source authentication by
applying a cryptographic hash function (like SHA or MD5) to each packet. While AH
verifies that data has not been altered, it does not encrypt the data, so it does not
offer confidentiality. AH ensures the origin and integrity of each packet, protecting
against spoofing and tampering. However, AH is less commonly used than ESP due
to its lack of confidentiality.
● Encapsulation Security Payload (ESP): ESP provides data encryption, source
authentication, and data integrity. By encrypting the payload, ESP ensures
confidentiality, preventing unauthorised access. Like AH, ESP also applies a hash
function to provide data integrity and origin authentication. ESP’s ability to encrypt
the payload makes it ideal for secure communications, particularly in VPNs and
sensitive data transfers.
● Modes of Operation:
○ Transport Mode: Only the IP payload is encrypted, leaving the IP header
intact. This mode is efficient for end-to-end communication (e.g., host-to-host)
and maintains the original IP addressing, which simplifies routing.
○ Tunnel Mode: In this mode, the entire IP packet (header and payload) is
encrypted and encapsulated in a new IP header. Tunnel Mode is ideal for
network-to-network or gateway-to-gateway communication, as it secures
routing and addressing details, commonly used in VPNs.
● Security Services Provided by IPsec:
○ Confidentiality: Through ESP encryption, IPsec prevents unauthorised data
access.
○ Data Integrity: Both AH and ESP ensure that data has not been altered in
transit.
○ Source Authentication: By validating packet origins, IPsec verifies that data is
from an authorised sender.
○ Replay Protection: Sequence numbers help prevent replay attacks by
identifying and rejecting duplicate packets.

IPsec’s suite of protocols, particularly in Tunnel Mode, is widely used in VPNs to ensure
secure data exchange across the internet, providing a complete framework for securing IP
communications

2. Discuss IPsec Security Associations (SAs) and the Security Policy Database (SPD)
and their role in secure communication.

Ans: IPsec relies on Security Associations (SAs) to define the parameters required for
secure data exchange. Each SA represents a one-way logical connection between entities
and specifies the security attributes that will apply to each communication session. SAs
contain:

● Security Protocols (AH or ESP): Specify whether the connection will use AH for
authentication and integrity or ESP for encryption and confidentiality.
● Encryption and Integrity Algorithms: Define the cryptographic algorithms (such as
AES for encryption and SHA-1 for hashing) used to protect data.
 ● Keys and Sequence Numbers: Specify the cryptographic keys and sequence
numbers, ensuring that each packet is unique and protected against replay attacks.

Each SA is uniquely identified by three parameters:

● Security Parameters Index (SPI): A unique identifier for the SA.

● IP Destination Address: Indicates the receiver of the SA.
● Security Protocol Identifier: Defines whether AH or ESP will be applied.

To manage multiple SAs, IPsec maintains two databases:

● Security Association Database (SAD): Stores details of each SA, such as

cryptographic keys, algorithms, and the protocol used.
● Security Policy Database (SPD): Specifies the rules for handling packets, including
which packets should be encrypted, authenticated, or bypassed. SPD policies help
IPsec decide if packets require protection and which SA to use for specific data
flows.

Together, SAs and the SPD provide the foundation for IPsec’s secure communication by
managing and enforcing security policies at the network layer, allowing for flexible and
dynamic security configurations​

3. Describe the role of Internet Key Exchange (IKE) in IPsec and how it aids in SA
management?

Ans: The Internet Key Exchange (IKE) protocol automates the setup of SAs, simplifying
IPsec configuration by negotiating cryptographic keys and connection parameters between
entities. IKE operates in two phases:

● Phase 1: Establishes a secure, authenticated channel using asymmetric

cryptography (e.g., Diffie-Hellman) to generate a shared secret. This phase ensures
the identities of both parties, creating an encrypted connection for further exchanges.
● Phase 2: Sets up unidirectional SAs for data transfer, based on the shared secret
created in Phase 1. Using symmetric cryptography, Phase 2 efficiently creates
separate SAs for both directions of communication without requiring further
public-key computations.

Key Roles of IKE:

● SA Negotiation: IKE dynamically selects cryptographic algorithms and parameters,

allowing secure, adaptable configuration.
● Key Exchange: IKE securely exchanges the necessary cryptographic keys, ensuring
both sides have synchronized keys for encryption, integrity, and authentication.
● Secure Channel Maintenance: IKE supports rekeying, maintaining security over
extended connections.
By managing key exchanges and SA setup, IKE eliminates the need for manual
configuration, providing scalability for large, secure networks. IKE is essential for IPsec’s
effectiveness in secure communication by ensuring that keys are shared securely and that
SAs are set up according to agreed security policies​

4. Explain the IPsec Datagram format and how it supports both Transport and Tunnel
modes.

Ans: IPsec datagrams vary depending on the mode of operation. IPsec supports two modes,
Transport and Tunnel, each suited to different network configurations.

● Transport Mode Datagram: In Transport Mode, only the IP payload is protected. The
ESP header and trailer are added to the payload, with optional encryption applied to
the data itself, leaving the original IP header visible for routing purposes. This mode
is often used for host-to-host communication, where end devices have IPsec
capabilities.
● Tunnel Mode Datagram: In Tunnel Mode, the entire IP packet (header and payload)
is encapsulated within a new IP header, allowing the original IP packet to remain
confidential. Tunnel Mode is commonly used in VPNs and secure
gateway-to-gateway connections. In Tunnel Mode:
○ An outer IP header is added for routing across the internet.
○ The original IP packet is encrypted and encapsulated, preventing exposure of
routing and addressing details.

Datagram Structure in ESP:

● ESP Header: Placed before the IP payload, it includes the SPI and sequence
numbers, allowing IPsec to identify the SA and prevent replay attacks.
● Payload: The IP packet or data being transmitted, encrypted in ESP.
● ESP Trailer and Authentication: Used for padding and integrity checks, ensuring data
remains unaltered.

This flexibility in encapsulation and encryption makes IPsec suitable for a wide range of
network topologies, allowing secure communication across various configurations​

5. How does IPsec provide protection against various attacks such as eavesdropping,
tampering, replay attacks?

Ans: Psec’s robust protocol suite provides comprehensive protection against common
network attacks, ensuring secure communication across potentially insecure networks.

● Confidentiality: IPsec prevents eavesdropping by encrypting the IP payload (in

Transport Mode) or the entire packet (in Tunnel Mode) using ESP. Encryption
ensures that only authorised parties can read the data, protecting sensitive
information from unauthorised access.
● Data Integrity: By applying a cryptographic hash function (e.g., HMAC with SHA-1),
IPsec ensures that data remains unaltered during transmission. Data integrity checks
 identify any tampering attempts, as the hash value changes if data is modified,
allowing the receiver to discard corrupted packets.
● Source Authentication: IPsec authenticates the packet origin using AH or ESP with
cryptographic authentication, verifying that the sender is legitimate. This
authentication helps detect and prevent spoofing attacks, where an attacker pretends
to be a trusted source.
● Replay Attack Prevention: IPsec uses sequence numbers within each SA to identify
duplicate packets. If a packet arrives with a sequence number previously received,
IPsec discards it, blocking replay attacks where an attacker retransmits intercepted
packets.

By combining these mechanisms, IPsec creates a secure environment that addresses major
security concerns, making it an effective solution against eavesdropping, tampering,
unauthorised access, and replay attacks