Which of the following consists of an encapsulating header and trailer used to provide encryption or combined?

Course Hero uses AI to attempt to automatically extract content from documents to surface to you and others so you can study better, e.g., in search results, to enrich docs, and more. This preview shows page 64 - 67 out of 70 pages.

IPSec uses two distinct protocols, Authentication Header (AH) and Encapsulating Security Payload (ESP), which are defined by the IETF.

The AH protocol provides a mechanism for authentication only. AH provides data integrity, data origin authentication, and an optional replay protection service. Data integrity is ensured by using a message digest that is generated by an algorithm such as HMAC-MD5 or HMAC-SHA. Data origin authentication is ensured by using a shared secret key to create the message digest. Replay protection is provided by using a sequence number field with the AH header. AH authenticates IP headers and their payloads, with the exception of certain header fields that can be legitimately changed in transit, such as the Time To Live (TTL) field.

The ESP protocol provides data confidentiality (encryption) and authentication (data integrity, data origin authentication, and replay protection). ESP can be used with confidentiality only, authentication only, or both confidentiality and authentication. When ESP provides authentication functions, it uses the same algorithms as AH, but the coverage is different. AH-style authentication authenticates the entire IP packet, including the outer IP header, while the ESP authentication mechanism authenticates only the IP datagram portion of the IP packet.

Either protocol can be used alone to protect an IP packet, or both protocols can be applied together to the same IP packet. The choice of IPSec protocol is determined by the security needs of your installation, and is configured by the administrator. It does not have to be applied system-wide, and can be configured differently for each set of connection endpoints. For a dynamic tunnel, the choice of IPSec protocol is configured using the IpDataOffer statement in an IP security policy configuration file. For a manual tunnel, the choice of IPSec protocol is configured using the IpManVpnAction statement in an IP security policy configuration file. For more details about the IpDataOffer statement and the IpManVpnAction statement, see z/OS Communications Server: IP Configuration Reference.

z/OS® IP security requires authentication due to potential security exposures when encryption is used alone. Authentication can be provided by the ESP or AH protocol. The complete list of combinations for authentication and encryption that are provided by z/OS IP security and that can be used for a specific connection are shown in Table 1.

Table 1. Possible authentication and encryption combinations for a connection

Encryption Protocol	Encryption Algorithm	Authentication Protocol	Authentication Algorithm
None	None.	ESP or AH	Any of the following algorithms: HMAC_MD5 HMAC_SHA1 AES128_XCBC_96 HMAC_SHA2_256_128 HMAC_SHA2_384_192 HMAC_SHA2_512_256 AES_GMAC_128 AES_GMAC_256
ESP	Any of the following algorithms: DES 3DES AES_CBC KeyLength 128 AES_CBC KeyLength 256	ESP or AH	Any of the following algorithms: HMAC_MD5 HMAC_SHA1 AES128_XCBC_96 HMAC_SHA2_256_128 HMAC_SHA2_384_192 HMAC_SHA2_512_256
ESP	Any of the following algorithms: AES_GCM_16 KeyLength 128 AES_GCM_16 KeyLength 256	ESP	NULL (AES_GCM provides built-in authentication)

Guideline: RFC 4835 discourages the use of DES. Use the AES encryption algorithms wherever possible for better security and interoperability.

Restriction: The combination of ESP protocol for encryption and AH protocol for authentication is not supported by IKEv2. If you are using IKEv2 and require both encryption and authentication, you should use ESP for both.