Within the Encrypted Security Payload extension header, which of the following uses 32-bit word
variables from a random number generator to ensure that hackers cannot predict the first
message words?
A.
Security parameters index
B.
Payload type
C.
Sequence number
D.
Initialization vector
Explanation:
First, information about the IV:
Payload Data is a variable-length field containing data described by the Next Header field. The
Payload Data field is mandatory and is an integral number of bytes in length. If the algorithm used
to encrypt the payload requires cryptographic synchronization data, e.g., an Initialization Vector
(IV), then this data MAY be carried explicitly in the Payload field. Any encryption algorithm that
requires such explicit, per-packet synchronization data MUST indicate the length, any structure for
such data, and the location of this data as part of an RFC specifying how the algorithm is used
with ESP. If such synchronization data is implicit, the algorithm for deriving the data MUST be part
of the RFC. (Reference RFC 2406)
The random number generator is used in the IV to provide the cryptographic synchronization data.
Incorrect Answers:
A: The SPI is an arbitrary 32-bit value that, in combination with the destination IP address and
security protocol (ESP), uniquely identifies the Security Association for this datagram. The set of
SPI values in the range 1 through 255 are reserved by the Internet Assigned Numbers Authority
(IANA) for future use; a reserved SPI value will not normally be assigned by IANA unless the use
of the assigned SPI value is specified in an RFC. It is ordinarily selected by the destination system
upon establishment of an SA (see the Security Architecture document for more details). The SPI
field is mandatory.The SPI value of zero (0) is reserved for local, implementation-specific use and
MUST NOT be sent on the wire. For example, a key management implementation MAY use the
zero SPI value to mean “No Security Association Exists” during the period when the Ipsec
implementation has requested that its key management entity establish a new SA, but the SA hasnot yet been established.
B: The payload type is specified in the Next Header Field. The Next Header is an 8-bit field that
identifies the type of data contained in the Payload Data field, e.g., an extension header in IPv6 or
an upper layer protocol identifier. The value of this field is chosen from the set of IP Protocol
Numbers defined in the most recent “Assigned Numbers” [STD-2] RFC from the Internet Assigned
Numbers Authority (IANA). The Next Header field is mandatory. (Reference RFC 2406)
C: The sender’s counter is initialized to 0 when an SA is established. The sender increments the
Sequence Number for this SA and inserts the new value into the Sequence Number field. Thus the
first packet sent using a given SA will have a Sequence Number of 1.If anti-replay is enabled (the
default), the sender checks to ensure that the counter has not cycled before inserting the new
value in the Sequence Number field. In other words, the sender MUST NOT send a packet on an
SA if doing so would cause the Sequence Number to cycle. An attempt to transmit a packet that
would result in Sequence Number overflow is an auditable event. (Note that this approach to
Sequence Number management does not require use of modular arithmetic.) (Reference RFC
2406)