| 12.1 | Some ISPs prohibit VPNs on home accounts by filtering ESP traffic. Given that the traffic is encrypted, how are the ISPs able to detect the ESP traffic? |
| 12.2 | Suppose that we are using a block cipher in CBC mode and that block i is corrupted in transmission. How many additional blocks will be affected?
This observation is the basis of the cut-and-paste attacks described in [Bellovin 1996]. Read that paper for further details and the reasons that authentication is essential.
|
| 12.3 | What are the advantages and disadvantages of transport mode? Do you think that the advantages outweigh the disadvantages and extra complexity in ESP that transport mode requires? Read [Ferguson and Schneier 1999] for one view on this question. |
| 12.4 | Why must the destination machine be the one that chooses the SPI for an SA? |
| 12.5 | RFC 2401 makes a distinction between "hosts" and "security gateways." What is this distinction, and why might it be dismissed as artificial? |
| 12.6 | RFC 2406 notes that although the IV is often referred to as being part of the ciphertext, it is not usually encrypted. Is there any operational reason that the IV for a block cipher in CBC mode couldn't be encrypted? As [Schneier 1996] remarks, although many people worry about sending the IV in the clear, encrypting it protects only the first block, as the subsequent cipher blocks are available to an attacker. Can you think of any reason that encrypting the IV might increase the security of ESP? Hint: Read [Bellovin 1997] to see how predictable fields in the IP/TCP/UDP headers can provide data for a known text attack. |
