Network Security Tutorial Week 11

1.

What are the two essential features of a VPN? (i) A tunnel between the two networks or hosts participating in the tunnel (ii) Security features so the tunnelled packets can be transferred between participating with integrity, confidentiality, timeliness and other security features.

hosts

What is a tunnel? Supplement your answer with a diagram; you may use the Novell IPX example from the lecture notes. Two LANS can be made to appear as one network by connecting them through a third network. The third network encapsulates packets from the two tunnelled networks as data. The tunnelling can be done by means of a bridge if the connecting network uses a completely different network protocol e.g. TCP/IP being used to connect 2 Novell IPX networks or 2 appletalk networks. Alternatively if all networks are using the same network protocol system, the networking can be done by software.
2.

The diagram below shows tunnelling between two IPX networks connected by a TCP/IP tunnel.

AH provides access control, connectionless integrity, data origin authentication, and rejection of replayed packets. ESP provides all of these plus confidentiality and limited traffic flow confidentiality.

3.

What security services does IPSec offer? State if they are provided by AH, ESP, or both. Confidentiality Integrity Data Origin Authentication Timeliness Access Control Traffic Flow Confidentiality

4.

What OSI layer does IPSec work in? Network Layer (Layer 3)

5.

What two methods are available for setting up keys to be used in an IPSec VPN? (i) Manual setup in a configuration file. (ii) Key Exchange using the Oakley Key Exchange protocol

6.

In discussing AH processing, it was mentioned that not all the fields in an IP header are included in the MAC calculation. For each of the fields in the IPv4 header, indicate whether the field is immutable, mutable but predicable, or mutable.

Immutable: Version, Internet Header Length, Total Length, Identification, Protocol (This should be the value for AH.), Source Address, Destination Address (without loose or strict source routing). None of these are changed by routers in transit. Mutable but predictable: Destination Address (with loose or strict source routing). At each intermediate router designated in the source routing list, the Destination Address field is changed to indicate the next designated address. However, the source routing field contains the information needed for doing the MAC calculation. Mutable: Type of Service (TOS), Flags, Fragment Offset, Time to Live (TTL), Header Checksum. TOS may be altered by a router to reflect a reduced service. Flags and Fragment offset are altered if an router performs fragmentation. TTL is decreased at each router. The Header Checksum changes if any of these other fields change.
7.

The IPSec architecture document states that when two transport mode SAs are bundled to allow both AH and ESP protocols on the same end-to-end flow, only one ordering of security protocols seems appropriate: performing the ESP protocol before performing the AH protocol. Why is this approach recommended rather than authentication before encryption? This order of processing facilitates rapid detection and rejection of replayed or bogus packets by the receiver, prior to decrypting the packet, hence potentially reducing the impact of denial of service attacks.