IKEv2 provides greater network attack resiliency against a DoS attack than IKEv1 by
utilizing which two functionalities? (Choose two)
A.
An IKEv2 responder does not initiate a DH exchange until the initiator responds
with a cookie.
B.
IKEv2 interoperates with IKEv1 to increase security in IKEv1.
C.
IKEv2 only allows certificates for peer authentication.
D.
With cookie challenge, IKEv2 does not track the state of the initiator until the
initiator responds with a cookie.
E.
IKEv2 only allows symmetric keys for peer authentication.
F.
IKEv2 performs TCP intercept on all secure connections.
Explanation:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-nextgeneration-firewalls/113597-ptn-113597.html
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113597-ptn-113597.html
IKEv2 provides better network attack resilience. IKEv2 can mitigate a DoS attack on the
network when it validates the IPsec initiator. In order to make DoS vulnerability difficult
to exploit, the responder can ask for a cookie to the initiator who has to assure the responder that this is a normal connection. In IKEv2, the responder cookies mitigate the
DoS attack so that the responder does not keep a state of the IKE initiator or does not
perform a D-H operation unless the initiator returns the cookie sent by the responder.
The responder uses minimal CPU and commits no state to a Security Association (SA)
until it can completely validate the initiator.
https://tools.ietf.org/html/rfc4306
To accomplish this,
a responder SHOULD — when it detects a large number of half-open
IKE_SAs — reject initial IKE messages unless they contain a Notify
payload of type COOKIE. It SHOULD instead send an unprotected IKE
message as a response and include COOKIE Notify payload with the
cookie data to be returned. Initiators who receive such responses
MUST retry the IKE_SA_INIT with a Notify payload of type COOKIE
containing the responder supplied cookie data as the first payload
and all other payloads unchanged. The initial exchange will then be
as follows:Initiator Responder
———– ———–
HDR(A,0), SAi1, KEi, Ni –>
<– HDR(A,0), N(COOKIE)
HDR(A,0), N(COOKIE), SAi1, KEi, Ni –>
<– HDR(A,B), SAr1, KEr, Nr, [CERTREQ]
HDR(A,B), SK {IDi, [CERT,] [CERTREQ,] [IDr,]
AUTH, SAi2, TSi, TSr} –>
<– HDR(A,B), SK {IDr, [CERT,] AUTH,
SAr2, TSi, TSr}