1.1-1.6: Consider the site-to-site VPN scenario shown in Figure 2. Let’s deploy the AH protocol on the two VPN routers (see Figure 2) so that no desktop on the two sites need to do any AH operations. Assume Alice’s desktop is on VPN Site 1 while Bob’s desktop is on VPN site 2. Assume the IP address of Alice’s desktop is 130.2.3.244; the IP address of Bob’s desktop is 166.100.66.2.

Figure 2:

1.1: When Alice sends message “Stock X price $29” to Bob, the message sender program running on Alice’s desktop needs to firstly compose the packet. Please draw the whole packet.

1.2: After a while, the packet will arrive at the VPN router on site 1. After the packet is processed by the VPN router according to the AH protocol, it will be sent out from the VPN router. When the packet leaves the VPN router on site 1, what does the packet look like? Please draw the whole packet. Please note that we assume the VPN router does not enforce the ESP protocol – no tunneling

 

.3: Let’s assume there is a bad guy named John who can intercept this packet in the Internet between these two VPN routers. When this packet is intercepted by John, can John know what the message is? Why?

1.4: After a while, the packet will arrive at the VPN router on Site 2. When the packet is processed by the VPN router on Site 2, what will the VPN router do? Please give a step-by-step answer

.

1.5: To enforce an IP spoofing attack, John will change the header of the packet before it arrives at the VPN router on Site 2. In particular, John will replace the source IP with 130.2.8.3. Can this IP spoofing attack fool the VPN router on Site 2? Why? Note that John will try his best to fake a hash to fool the VPN router. (8 points)

1.6: If the IP spoofing attack mentioned in Question 1.5 is launched by a colleague employee of Alice inside Site 1, Can this IP spoofing attack fool the VPN router on Site 2? Why?

 

2.1-2.7: In this question, we study Nested ESP in AH, that is, we combine ESP with AH. Let’s look at the site-to-site VPN scenario shown again in Figure 1. Let’s assume that Alice’s desktop is on VPN Site 1 while Bob’s is on VPN site 2. Assume the IP address of Alice’s desktop is 130.2.3.244; the IP address of Bob’s desktop is 166.100.66.2. In addition, because neither Alice nor Bob trusts all employees in their companies, they would use the Transport Mode of ESP.2.1: When Alice sends message “Stock X price $29” to Bob, the message sender program running on Alice’s desktop needs to firstly compose the packet before it is encrypted. This cleartext packet will be the exact same packet in your answer for Question 1.1. Next, the sender program will use ESP to encrypt the packet. After this packet is encrypted, what does the packet look like? Please draw the whole packet and mark the fields that are encrypted.

2.2: Next, Alice’s message sender program will apply the AH protocol so that all IP spoofing attacks and message replacement attacks can be defeated. To compute the hash, which part of the packet resulted from Question 2.1 will be used as the input?

 

2.3: After the hash is computed by Alice’s message sender program, the hash will be included in which part of the packet sent out from Alice’s desktop?

 

2.4: After a while, the packet will arrive at the VPN router on site 2. Will the VPN router decrypt the packet? (6 point)

 

2.5: After a while, the packet will arrive at Bob’s desktop. Is it possible for Bob to decrypt the packet and get the message before the AH header is verified? Why?

 

2.6: After the packet arrives at Bob’s desktop, please give a step-by-step answer on how the AH header is verified by the receiver program running on Bob’s desktop

 

2.7: During the whole process from (2.1) to (2.6), where is the IKE protocol used?