Which of the following protocols can IPSec use to provide the integrity component of the CIA triad? (Select 2
choices.)
A.
GRE
B.
AH
C.
AES
D.
ESP
E.
DES
Explanation:
IP Security (IPSec) can use either Authentication Header (AH) or Encapsulating Security Payload (ESP) to
provide the integrity component of the confidentiality, integrity, and availability (CIA) triad. The integrity
component of the CIA triad ensures that data is not modified in transit by unauthorized parties. AH and ESP are
integral parts of the IPSec protocol suite and can be used to ensure the integrity of a packet. Data integrity is
provided by using checksums on each end of the connection. If the data generates the same checksum value
on each end of the connection, the data was not modified in transit. In addition, AH and ESP can authenticate
the origin of transmitted data. Data authentication is provided through various methods, including user name/
password combinations, preshared keys (PSKs), digital certificates, and onetime passwords (OTPs). Although
AH and ESP perform similar functions, ESP provides additional security by encrypting the contents of the
packet. AH does not encrypt the contents of the packet.
In addition to data authentication and data integrity, IPSec can provide confidentiality, which is another
component of the CIA triad. IPSec uses encryption protocols, such as Advanced Encryption Standard (AES) or
Data Encryption Standard (DES), to provide data confidentiality. Because the data is encrypted, an attacker
cannot read the data if he or she intercepts the data before it reaches the destination. IPSec does not use
either AES or DES for data authentication or data integrity.
Generic Routing Encapsulation (GRE) is a protocol designed to tunnel any Layer 3 protocol through an IP
transport network. Because the focus of GRE is to transport many different protocols, it has very limited security
features. By contrast, IPSec has strong data confidentiality and data integrity features, but it can transport only
IP traffic. GRE over IPSec combines the best features of both protocols to securely transport any protocol over
an IP network. However, GRE itself does not provide data integrity or data authentication.CCNA Security 210260 Official Cert Guide, Chapter 1, Confidentiality, Integrity, and Availability, pp. 14-15
IETF: RFC 4301: Security Architecture for the Internet Protocol: 3.2. How IPsec Works
Integrity or confideality?