| 14.1 | Describe a method for checking an extended sequence number when the replay window contains sequence numbers that differ in their upper 32 bits. |
| 14.2 | Sketch an algorithm for decorrelating a policy database that has only two selectors. |
| 14.3 | The longest-match rule for source address, destination address, and SPI requires that the SAD be searched three times. Describe an algorithm for searching the SAD |
| 14.4 | Why is IKEv2 able to create a child SA (with the CREATE_CHILD_SA exchange) in only two messages, whereas the Quick mode exchange from IKEv1 took three messages? |
| 14.5 | Why does it make sense for IKE and the UDP encapsulation of ESP to share ports under NAT-T? |
| 14.6 | Why does the NAT-D hash include the IKE cookies CKYi and CKYr? |
| 14.7 | In Figure 14.8, which peer is behind the NAT? How can we tell? |
| 14.8 | Explain why ESP must never send an SPI of 0 when using NAT-T. |
