| 13.1 | Why do the ISAKMP payloads need a next payload field? |
| 13.2 | Is the CONNECTED notification message an ISAKMP or an IPsec message? |
| 13.3 | Consider the case of a mobile host with a nonfixed IP address using Main mode with shared-secret authentication to negotiate an SA with a security gateway. Why doesn't the mobile host have the same problem with Main mode that the security gateway does? |
| 13.4 | What is the quantity gxixr in the calculation of SKEYID for the authentication with digital signatures method and the calculations of the quantities SKEYIDd, SKEYIDa, and SKEYIDe? |
| 13.5 | In IKE Aggressive mode, the Authentication payload is optionally encrypted. How does the responder know whether it's encrypted? |
| 13.6 | Does Main mode with signature authentication have the same problem with mobile hosts and dynamic IP addresses that Main mode with shared-secret authentication has? Why or why not? |
| 13.7 | How does authentication with signatures guarantee that the state variables were not tampered with in transport? How does it authenticate each node to its peer? |
| 13.8 | Does authentication with a preshared key offer the same repudiation as authentication with public key encryption? |
| 13.9 | In the final analysis, both authentication with public key encryption and authentication with digital signatures use public key cryptography to authenticate the peers. Why doesn't authentication with digital signatures offer repudiation? |
| 13.10 | What is the responder's cookie in the sample negotiation of Section 13.4? |
| 13.11 | Perform an analysis of the second and third phase 1 messages from the sample negotiation of Section 13.4 similar to that we performed of the first message. |
| 13.12 | In Section 13.4, we showed the results of pinging through an AH transport mode tunnel. We terminated ping after six requests had been sent, but we received only four replies. Given that this experiment was performed on a LAN, why did we lose the two packets? |
