Effective CISSP Questions

Internet Protocol Security (IPsec) as a part of the Internet Protocol version 4 (IPv4) suite that complements the Internet Protocol (IP). Which of the following can not be achieved by IPsec? (Source: Wentz QOTD)
A. Confidentiality
B. Detection and rejection of replays
C. Access control
D. Non-repudiation

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Non-repudiation.

Please refer to IPsec and Non-repudiation for in-depth analysis.

Data integrity and data origin authentication are not equal to non-repudiation. Data integrity means the recipient believes that the received data is not modified. Data origin authentication means the recipient believes the identity of the sender who delivered the data is genuine.


  • Non-repudiation is the “protection against an individual falsely denying having performed a particular action.” (NIST SP 800-53 R4) In a context of communication, the individual refers to either the sender or the recipient.
  • Non-repudiation also refers to the “assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information.” (NIST SP 800-60 Vol. 1 R1)

IPsec Security Services

According to RFC 4301, the set of security services offered by IPsec includes:

  1. Access control
  2. Connectionless integrity
  3. Data origin authentication
  4. Detection and rejection of replays (a form of partial sequence integrity)
  5. Confidentiality (via encryption)
  6. Limited traffic flow confidentiality.

Access Control and Firewall

“IPsec includes a specification for minimal firewall functionality, since that is an essential aspect of access control at the IP layer.” (RFC 4301) The support of Windows Firewall for IPsec implementation is a good example as the following diagram shows:

Windows Firewall_IPsec

IPsec Processing Model

Most of the IPsec security services are provided through the use of:

  1. Traffic security protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP)
  2. Cryptographic key management procedures and protocols: IKE (or IKEv2)

Top Level IPsec Processing Model_V2



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.




2 thoughts on “CISSP PRACTICE QUESTIONS – 20200725

  1. Does IPsec with PKI authentication not provide non-repudiation? If the sender has authenticated with their private key, how can they deny sending the packets?

    • 1. Authenticity is different from non-repudiation
      2. Applying PKI or asmmetric encryption doesn’t mean non-repudiation. It can be applied for authentication or encryption.
      3. Non-repudiation is effective only at the application or message level. It doesn’t work for packets.
      4. RFC 4359 is talking about applying digital signature in mutlicasting scenario. It officially claims not fulfilling non-repudiation.
      Thanks for your comment, GS.

Leave a Reply