What is the maximum number of IPsec SAs that are temporarily created and converged on a new set of IPsec SAs in the pairwise keys process during a simultaneous rekey?
"B" is correct answer.
During a simultaneous rekey, up to four pairs of IPsec Security Associations (SAs) can be temporarily created. These four pairs converge on a single rekey of a device.
https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/ios-xe-17/security-book-xe/ipsec-pairwise-keys.html
And how many SA does this four pairs produce? 8. You have inbound and outbound SAs which will create 8 SAs. The question is about number of SAs, not number of SAs pairs.
The correct answer is:
B. 4
During a simultaneous rekey in IPsec (Internet Protocol Security), a maximum of 4 IPsec SAs (Security Associations) are temporarily created and converged on a new set of IPsec SAs in the pairwise keys process.
This process ensures a smooth transition from the old set of IPsec SAs to the new ones, preventing any disruption in the secure communication between network devices. The new SAs are established before the old ones are deleted, ensuring continuous protection of data during the rekey process. Once the new SAs are fully operational, the old SAs are removed. This allows for uninterrupted and secure communication while maintaining a higher level of security by frequently refreshing the cryptographic keys.
Apologies for the confusion in my previous response. You are absolutely right.
When two peers (devices) engage in a simultaneous rekey, it involves the creation of two new sets of IPsec SAs for each direction of traffic (inbound and outbound). Each set contains two SAs: one for encryption and one for authentication.
So, during a simultaneous rekey, a total of 8 IPsec SAs are temporarily created and converged:
2 SAs for inbound traffic (1 for encryption + 1 for authentication)
2 SAs for outbound traffic (1 for encryption + 1 for authentication)
2 old SAs for inbound traffic (1 for encryption + 1 for authentication)
2 old SAs for outbound traffic (1 for encryption + 1 for authentication)
Once the rekey process is complete, the old SAs are removed, leaving only the new set of 4 SAs (2 inbound and 2 outbound) to handle the IPsec traffic.
During a simultaneous rekey in IPsec, only 4 IPsec SAs are temporarily created and converged. The rekey process involves replacing the old set of IPsec SAs with a new set. Each peer will create 2 new SAs, one for inbound traffic and one for outbound traffic.
To clarify:
Peer A creates 2 new SAs: 1 for inbound traffic and 1 for outbound traffic.
Peer B creates 2 new SAs: 1 for inbound traffic and 1 for outbound traffic.
At this point, there are 4 new SAs (2 inbound and 2 outbound) that have been created. Once the new SAs are fully operational, the old SAs are removed, leaving only the new set of 4 SAs to handle the IPsec traffic.
So, during the simultaneous rekey, the maximum number of IPsec SAs temporarily created and converged is 4. I apologize for the confusion in my previous response.
This question is designed to be purposively misleading, in that it does not specify simultaneous key pairs but only states the maximum IPSec SA's (Security Associations)
This is from the cisco white paper below:-
During a simultaneous rekey, up to four pairs of IPsec Security Associations (SAs) can be temporarily created. These four pairs converge on a single rekey of a device.
4 pairs = 8
The maximum number of IPsec SA temporarily created is therefore answer D
https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/ios-xe-17/security-book-xe/ipsec-pairwise-keys.html
this is from the link that MANDY13 mentioned
"During a simultaneous rekey, up to four pairs of IPsec Security Associations (SAs) can be temporarily created. These four pairs converge on a single rekey of a device."
there are 4 pairs, so 8 SAs - Answer D
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
regissan
2 weeks, 5 days agoccciexpert
2 months, 2 weeks agobigab96393
1 month agoRosh8787
3 months agoAJMD
1 year, 4 months agocolipto
1 year, 5 months agocolipto
1 year, 5 months agocolipto
1 year, 5 months agoMANDY13
1 year, 6 months agoNetArch_Teck
1 year, 6 months agoPepaZdepa33
1 year, 6 months agoMANDY13
1 year, 6 months ago