| 10.1 | Make an argument that SAs do not have to be simplex. That is, rather than requiring a pair of SAs for each tunnel, one SA could handle both directions. What effect, if any, does this have on security? Hint: See [Ferguson and Schneier 1999]. |
| 10.2 | We noted that one could say that VPNs are simplex and that what we normally think of as a full-duplex VPN is actually two separate simplex VPNs, one in each direction. Defend this point of view. Defend the contrary view. |
| 10.3 | Use the fact that AH and ESP are network-layer protocols to justify our use of the term VPN, even in the case of transport mode. |
| 10.4 | What difficulties would there be in using a stream cipher, such as RC4, with ESP? Sketch out a way around these difficulties, and then read [Fluhrer, Mantin, and Shamir 2001]. |
| 10.5 | How is a transport-mode VPN different from an SSL or SSH connection between two hosts? |
| 10.6 | Explain how an ESP tunnel-mode VPN can provide limited protection from traffic analysis. (See Chapter 9 for a definition of traffic analysis.) |
