Cryptography and Network Security (4th Edition)

[Page 517]

16.8. Key Terms, Review Questions, and Problems

Key Terms

anti-replay service

authentication header (AH)

encapsulating security payload (ESP)

Internet Security Association and Key Management Protocol (ISAKMP)

IP Security (IPSec)

IPv4

IPv6

Oakley key determination protocol

replay attack

security association (SA)

transport mode

tunnel mode

Review Questions

16.1

Give examples of applications of IPSec.

16.2

What services are provided by IPSec?

16.3

What parameters identify an SA and what parameters characterize the nature of a particular SA?

16.4

What is the difference between transport mode and tunnel mode?

16.5

What is a replay attack?

16.6

Why does ESP include a padding field?

16.7

What are the basic approaches to bundling SAs?

16.8

What are the roles of the Oakley key determination protocol and ISAKMP in IPSec?

Problems

16.1

In discussing AH processing, it was mentioned that not all of the fields in an IP header are included in MAC calculation.

  1. For each of the fields in the IPv4 header, indicate whether the field is immutable, mutable but predictable, or mutable (zeroed prior to ICV calculation).

  2. Do the same for the IPv6 header.

  3. Do the same for the IPv6 extension headers.

    In each case, justify your decision for each field.

16.2

When tunnel mode is used, a new outer IP header is constructed. For both IPv4 and IPv6, indicate the relationship of each outer IP header field and each extension header in the outer packet to the corresponding field or extension header of the inner IP packet. That is, indicate which outer values are derived from inner values and which are constructed independently of the inner values.

16.3

End-to-end authentication and encryption are desired between two hosts. Draw figures similar to Figures 16.6 and 16.9 that show

  1. Transport adjacency, with encryption applied before authentication

  2. A transport SA bundled inside a tunnel SA, with encryption applied before authentication

  3. A transport SA bundled inside a tunnel SA, with authentication applied before encryption

16.4

The IPSec architecture document states that when two transport mode SA's are bundled to allow both AH and ESP protocols on the same end-to-end flow, only one ordering of security protocols seems appropriate: performing the ESP protocol before performing the AH protocol. Why is this approach recommended rather than authentication before encryption?


[Page 518]
16.5

  1. Which of the ISAKMP Exchange Types (Table 16.4) corresponds to the aggressive Oakley key exchange (Figure 16.11)?

  2. For the Oakley aggressive key exchange, indicate which parameters in each message go in which ISAKMP payload types.

Категории