CPE 401/601 Computer Communication Networks

Spring 2011

Lab 3: IPsec

Due on Sunday, May 8 at 1:00 pm

This is a team assignment of 3 students where you will set up IPsec connections. Even though you will discuss the setup you should submit your own answers to the following questions.

In this lab you will have access to four linux boxes, with two of boxes having two interface cards and serving as a router. The lab described below will be conducted in Reconfigurable Networking Lab at SEM 211A using a setup shown in the figure below. You need to schedule a time using the spreadsheet posted under WebCT.

Before you begin the lab you might want to review the Power Point lecture and gather more information about IPSec and its implementation methods. Some useful websites are:

Part 1: IPSec connection with Manual Keying between hosts in different networks (Tunnel Mode)

In this part of the lab you will setup IPSec security associations manually using the setkey.conf file like in the previous part, but this time the communicating hosts will be communicating via their respective routers, and you will have to set up IPSec in the tunnel mode between the m2 of Network A and m4 of Network B. Using m2 of Network A, you will test your SAs by sniffing and examining the packets sent between the two hosts. You may use any sniffer you want (e.g., Wireshark, Snort, or tcpdump).

Throughout this lab, you will be using the ESP protocol (rather than the AH protocol).

To create your SAs, you will need to edit the setkey configuration files. To edit the configuration file with vi, type vi /etc/setkey.conf.

To capture the traffic, please make sure you run the sniffer on the correct interface. By default, tcpdump captures packets from the first interface and that's veth0 in m2.

Support your answers with relevant screen shots.

After setting up the SAs, answer the following questions:

  1. Explain in detail how you set up the SAs and include your configuration file in your report.
  2. What is IPsec doing for you in this example? Confidentiality? Integrity? Authentication? What options in the ESP protocol are being used? What crypto algorithms are being used?
  3. Is the IP header encrypted? How large is the IP header. Is the entire IP payload encrypted?
  4. If the capture was properly done on m2 you should be able to see ESP packets in both directions but the ICMP packet in only one direction. Why?
  5. If ESP authentication was used, how would it be different from the extent of authentication provided by using AH in transport mode?

Part 2: IPSec connection with Manual Keying between hosts in different subnets (Transport Mode)

In this part of the lab you will setup IPSec security associations manually using the setkey.conf file like in Part 1, but you are to use the transport mode this time and the SA should be set up m1 of Network A and m3 of Network B.

After setting up the SA, answer the following questions.

  1. Explain in detail how you set up the connection and include your configuration file in your report.
  2. What is IPsec doing for you in this example? Confidentiality? Integrity? Authentication? What options in the ESP protocol are being used? What crypto algorithms are being used?
  3. Is the IP header encrypted? How large is the IP header. Is the entire IP payload encrypted?
  4. Can you tell whether the datagram is carrying UDP, TCP, or ICMP data? How?
  5. Compare the transport mode to the tunnel mode and list the differences that you find.
  6. What are the source and destination IP addresses in the captured packets? Are they the same as they were in the tunnel mode?

Note: The assignment is modified from the text book (Kurose and Ross, 5th edition):

Submitting your files

Submission of your homework is via WebCT. You must submit all the required files in a single document containing your answers.