Review Questions

1. Is it possible to use IPSec for secure data transmission of the traffic generated by a specific application without introducing any changes into that application?

Yes, it is

2. The IPSec system provides the AH protocol for ensuring data integrity and authentication. For what purpose does it make a provision for the ESP protocol, which also carries out these functions?

ESP privides also data encryption which AH doesn't .  

3. To provide the receiver with the capability of checking data integrity, most protocols place the checksum into the packet. IPSec uses the digest for ensuring data integrity. Explain the difference between these two approaches.

Checksum is used for detecting errors caused by technical problems and can't be used for protection from malicious users as such a user can easily correct a checksum after changing the data. However, it is not possible to do the same with a didgest as it is calculated with one secret parameter which is known only to a sender and a recepient.

4. Suppose that there are three applications running on your computer and you need to transmit data generated by these applications to your partner in the encrypted form using IPSec. How many SAs do you need to create to achieve this?

The question presumes networked applications, i.e those which consist from several parts working on different computers and communicating through a network. In our case we have two computers each of which runs three applications. Let'a call: A - your computer, B - the computer of your partner. Two situations can take place:

(1) All applications have the same requirements to traffic protection. In this case it is appropriate to use one SA for traffic of all three applications exchanging data from computer A to computer B. Please note that if the question didn't specify that data go only in one direction you would need to establish two SAs: from A to B and from B to A (as SA is a unidirectional tunnel).

(2) Each application has its specific requirement to traffic protection. In this case you need to establish three SAs from A to B, each of which shopuld have specific parameters, foor example, first SA can provide ony data integrity; second SA will encrypt data using DES; third SA will encypt data using AES.


5. Compare the transport and tunnel modes of IPSec. Which one ensures a higher security level? Which one provides better scalability? Which one is more economical?

6. Provide several examples illustrating the methods that an intruder may implement to use information from the IP header.

The most important part of the IP header for an intrider is source and destination IP addresses as they reveal internal topology of a network and allows to caryy out attacks of different kinds, e.g DOS or address substitution.

7. Would the use of the AH protocol in the tunnel mode improve the security of the data being transmitted as compared to the use of the same protocol in the transport mode?

Yes, it is worth to use theAH tunnel mode for better trafic protection as in this mode all fileds of an IP packet are protected while in transport mode only fields which stay unchanged during transmission through a network are protected.

8. What mechanism of protection against duplicates by an intruder is used in IPSec?

The information contained in the Sequence Number (SN) filed is used for this.

9. Explain why padding is another means of ensuring confidentiality.

Padding can be used to hide the real size of a packet.

10. How does SG determine what type of processing is required for the packets arriving
at it?


11. What properties of truly private networks can be supported by VPNs?

12. Suggest a VPN classification.

13. Which VPN technologies use traffic segregation for ensuring security?

The VPN technologies based on a virtual circuit technique: FR, ATM and MPLS VPNs.

14. List the advantages and drawbacks of L3VPN as compared to L2VPN.

The main advantage L3VPN compared to L2VPN is that in this case a provider has a possibility to provide additional high-level services based on IP layer to its clients, e.g. VoIP, firewalling, NAT. Those services are difficult to implement when provider emulates for a client a 2 layer network. The main drawback of L3VPN is its higher complexity.


15. What is the main drawback of IPSec VPN?

Poor scalability. The IPSec tunnels are point-to-point, therefore N x (N-1) SAs is necessary to establish to connect N endpoints. The key infrustructure complexity is another factor which worsens the scalability.

16. Describe the mechanism used in MPLS VPN for the segregation of the address spaces of networks belonging to different clients.

17. How is the VRF table created?


18. Assume that MP-BGP operating on the PE2 router sends a routing advertisement received as a result of translating the following routing advertisement arrived from the CE3 router (Fig. 24.20):

Net = 10.2/16

Next-Hop = CE3

How would this routing advertisement appear?


Next-Hop =

LVPN = 3

RT = Green

19. In the MPLS VPN network, the packet is supplied by two labels, the internal label (LVPN) and the external label (L). Describe the roles of these labels in packet forwarding.

The external label is used to forward a packet through a provider network to an appropriate PE; the internal lable is used to choose the appropriate VPN site or sites when forwarding a packet form PE to CEs.


1. You have studied the operating principles of L3 MPLS VPN when all sites of all clients are connected to the backbone of the same provider. Try to advance these principles for when the backbone is supported by several providers. Assume that the sites of three clients, A, B, and C, are connected to networks belonging to the providers ISP2 and ISP3. The networks of these providers are, in turn, connected using the ISP1 provider network. Use a hierarchical approach for solving this problem by making ISP1 a top-layer provider. In this case, ISP2 and ISP3 will play the role of clients for ISP1 according to the MPLS VPN method described in this chapter. Suggest a possible implementation of the idea of the MPLS VPN provider hierarchy, taking BGP capabilities and the idea of the MPLS label stack as the basis.


Hint: use the Internet resources, e.g.

2. Compare the number of required virtual circuits and the LSP that the VPN service provider must create for the following two cases:

The provider uses a Frame Relay network for providing VPN services

The provider uses the IP/MPLS network for providing VPN services

The provider has 25 clients. The networks of each client comprise 10 sites connected to the provider's network. The clients need intranet services, which means that it is not necessary to provide connections between client sites.

Let's assume for unambiguously that clients' sites are located in 10 cities, 25 sites per city. There is a POP in each city where a PE is installed and which has 25 links to 25 sites each of wich belongs to a different client.

When using Frame Relay the provider have to connect 10 sites of a particular client by point-to-point circuits. To make it comparable to unidirectional MPLS LSP let use unidirectional Frame Relay virtual circuits for this. In this case the provider needs to establish 10 x 9 = 90 virtual circuits for every client, totally 2250 virtual circuits for 25 clients.

When using MPLS VPN the provider have to have all its PE internally connected by LSPs through its core P routers. As the provider have 10 PEs, hence they need only 10 x 9 = 90 LSPs to do it. the connections between PE and CE don't need LSPs so that the total amount of LSPs in this case is 90 which much less than the numebr of frame relay virctual circuits.

3. In the section "Packet Forwarding over the MPLS VPN," there was an example illustrating packet transmission from node of site 2 in VPN A to end node of site 1 located in the same VPN (Fig. 24.20). Using this illustration, describe packet transmission in the inverse direction from node to node Provide the possible contents of the CE1 and PE1 routing tables. Suggest your own values for the missing data and place the the text into the illustration.