It is A, AES-GCM can do encryption like all other AES and has an authentication tag, rest of the options can be used for encryption or authentication, but not both.
In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources.[1] The operation is an authenticated encryption algorithm designed to provide both data authenticity (integrity) and confidentiality.
https://en.wikipedia.org/wiki/Galois/Counter_Mode
It's A because of the GCM, this mode of block ciphers provide confidentiality and integrity.
AES-256 refers to the CBC mode beacuse its the default mode in Cisco.
https://en.wikipedia.org/wiki/Galois/Counter_Mode
https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
A. AES-GCM (Advanced Encryption Standard-Galios/Counter Mode) is the correct answer because it provides both encryption and authentication for data plane communication. It uses the Advanced Encryption Standard (AES) algorithm for encryption and the Galios/Counter Mode (GCM) for authentication. GCM is a block cipher mode of operation that provides both confidentiality and integrity for data. It uses a unique initialization vector (IV) for each message and also a unique authentication tag for each message. GCM is considered to be a very secure algorithm that is resistant to tampering and replay attacks.
AES-256 provides encryption for the data, but it does not provide authentication for the data. Authentication is a process of proving the integrity and origin of the data. It ensures that the data has not been tampered with and that it came from a trusted source. To provide both encryption and authentication for data, AES-256 can be combined with a separate authentication algorithm such as GCM (Galois/Counter Mode) or HMAC (Hash-based Message Authentication Code).
In the Cisco SD-WAN network for unicast traffic, data plane encryption is done by AES-256-GCM, a symmetric-key algorithm that uses the same key to encrypt outgoing packets and to decrypt incoming packets. Each router periodically generates an AES key for its data path (specifically, one key per TLOC) and transmits this key to the vSmart controller in OMP route packets, which are similar to IP route updates. These packets contain information that the vSmart controller uses to determine the network topology, including the router's TLOC (a tuple of the system IP address and traffic color) and AES key. The vSmart controller then places these OMP route packets into reachability advertisements that it sends to the other routers in the network. In this way, the AES keys for all the routers are distributed across the network. Even though the key exchange is symmetric, the routers use it in an asymmetric fashion. The result is a simple and scalable key exchange process that uses the Cisco vSmart Controller.
https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/vedge/security-book/security-overview.html#id_112385
Could someone tell me if I'm wrong? I see AES-256
https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_18.1/05Security/01Security_Overview/Data_Plane_Security_Overview#:~:text=duplicates%20encrypted%20packets.-,Data%20Plane%20Authentication%20and%20Encryption,each%20other%20over%20this%20connection.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Kris92
Highly Voted 3 years, 6 months agoVic25H
Highly Voted 4 years, 1 month agoMarshpillowz
Most Recent 5 months, 2 weeks agosull3y
1 year, 7 months agosull3y
1 year, 7 months agojohnsonwale
2 years, 11 months agonaddaf
4 years, 2 months agoGurak
4 years, 2 months agoMax95
3 years, 3 months ago