Internet Protocol Security (IPsec) as a part of the Internet Protocol version 4 (IPv4) suite that complements the Internet Protocol (IP). Which of the following can not be achieved by IPsec? (Source: Wentz QOTD)
A. Confidentiality
B. Detection and rejection of replays
C. Access control
D. Non-repudiation
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Non-repudiation.
Please refer to IPsec and Non-repudiation for in-depth analysis.
Data integrity and data origin authentication are not equal to non-repudiation. Data integrity means the recipient believes that the received data is not modified. Data origin authentication means the recipient believes the identity of the sender who delivered the data is genuine.
Non-repudiation
- Non-repudiation is the “protection against an individual falsely denying having performed a particular action.” (NIST SP 800-53 R4) In a context of communication, the individual refers to either the sender or the recipient.
- Non-repudiation also refers to the “assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information.” (NIST SP 800-60 Vol. 1 R1)
IPsec Security Services
According to RFC 4301, the set of security services offered by IPsec includes:
- Access control
- Connectionless integrity
- Data origin authentication
- Detection and rejection of replays (a form of partial sequence integrity)
- Confidentiality (via encryption)
- Limited traffic flow confidentiality.
Access Control and Firewall
“IPsec includes a specification for minimal firewall functionality, since that is an essential aspect of access control at the IP layer.” (RFC 4301) The support of Windows Firewall for IPsec implementation is a good example as the following diagram shows:
IPsec Processing Model
Most of the IPsec security services are provided through the use of:
- Traffic security protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP)
- Cryptographic key management procedures and protocols: IKE (or IKEv2)
Reference
- IPsec
- IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap
- 7.5.2 Security Associations
- 7.5.3 Security Policy Database Structure
- Secure Windows Traffic with IPsec
- Configure IPSec Policy through GPO
- Security and Access Configuration
- IPSec Overview Part Four: Internet Key Exchange (IKE)
- The Internet Key Exchange (IKE)
- Algorithms for Internet Key Exchange version 1 (IKEv1)
- Internet Key Exchange (IKEv2) Protocol
- Internet Security Association and Key Management Protocol (ISAKMP)
- IPSEC & IKE
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
Does IPsec with PKI authentication not provide non-repudiation? If the sender has authenticated with their private key, how can they deny sending the packets?
1. Authenticity is different from non-repudiation
2. Applying PKI or asmmetric encryption doesn’t mean non-repudiation. It can be applied for authentication or encryption.
3. Non-repudiation is effective only at the application or message level. It doesn’t work for packets.
4. RFC 4359 is talking about applying digital signature in mutlicasting scenario. It officially claims not fulfilling non-repudiation.
Thanks for your comment, GS.
The question is about IPSEC in general whatever the protocol.
So using ESP you have confidentiality and using AH you have non-repudiation.
Am I wrong ?