Review Questions
20.1 Give examples of applications of IPsec.
Get 20.1 exercise solution
20.2 What services are provided by IPsec?
Get 20.2 exercise solution
20.3 What parameters identify an SA and what parameters characterize the nature of a
particular SA?
Get 20.3 exercise solution
20.4 What is the difference between transport mode and tunnel mode?
Get 20.4 exercise solution
20.5 What is a replay attack?
Get 20.5 exercise solution
20.6 Why does ESP include a padding field?
Get 20.6 exercise solution
20.7 What are the basic approaches to bundling SAs?
Get 20.7 exercise solution
20.8 What are the roles of the Oakley key determination protocol and ISAKMP in IPsec?
Get 20.8 exercise solution
Problems
20.1 Describe and explain each of the entries in Table 20.2.
Get 20.1 exercise solution
20.2 Draw a figure similar to Figure 20.8 for AH.
Get 20.2 exercise solution
20.3 List the major security services provided by AH and ESP, respectively.
Get 20.3 exercise solution
20.4 In discussing AH processing, it was mentioned that not all of the fields in an IP header
are included in MAC calculation.
a. For each of the fields in the IPv4 header, indicate whether the field is immutable,
mutable but predictable, or mutable (zeroed prior to ICV calculation).
b. Do the same for the IPv6 header.
c. Do the same for the IPv6 extension headers.
In each case, justify your decision for each field.
Get 20.4 exercise solution
20.5 Suppose that the current replay window spans from 120 to 530.
a. If the next incoming authenticated packet has sequence number 105, what will the receiver
do with the packet, and what will be the parameters of the window after that?
b. If instead the next incoming authenticated packet has sequence number 440, what
will the receiver do with the packet, and what will be the parameters of the window
after that?
c. If instead the next incoming authenticated packet has sequence number 540, what
will the receiver do with the packet, and what will be the parameters of the window
after that?
Get 20.5 exercise solution
20.6 When tunnel mode is used, a new outer IP header is constructed. For both IPv4
and IPv6, indicate the relationship of each outer IP header field and each extension
header in the outer packet to the corresponding field or extension header of the inner
IP packet. That is, indicate which outer values are derived from inner values and
which are constructed independently of the inner values.
Get 20.6 exercise solution
20.7 End-to-end authentication and encryption are desired between two hosts. Draw
figures
similar to Figure 20.8 that show each of the following.
a. Transport adjacency with encryption applied before authentication.
b. A transport SA bundled inside a tunnel SA with encryption applied before
authentication.
c. A transport SA bundled inside a tunnel SA with authentication applied before
encryption.
Get 20.7 exercise solution
20.8 The IPsec architecture document states that when two transport mode SAs are bundled
to allow both AH and ESP protocols on the same end-to-end flow, only one
ordering of security protocols seems appropriate: performing the ESP protocol before
performing the AH protocol. Why is this approach recommended rather than
authentication before encryption?
Get 20.8 exercise solution
20.9 For the IKE key exchange, indicate which parameters in each message go in which
ISAKMP payload types.
Get 20.9 exercise solution
20.10 Where does IPsec reside in a protocol stack?
Get 20.10 exercise solution