In this question, we study Nested ESP in AH, that is, we combine ESP with AH. Let's look at the site-to-site VPN scenario shown again in Figure 1. Let's assume that Alice's desktop is on VPN Site 1 while Bob's is on VPN site 2. Assume the IP address of Alice's desktop is 220.127.116.11; the IP address of Bob's desktop is 18.104.22.168. In addition, because neither Alice nor Bob trusts all employees in their companies, they would use the Transparent Mode of ESP.
When Alice sends message "Stock X price $29" to Bob, the message sender program running on Alice's desktop needs to firstly compose the packet before it is encrypted. This cleartext packet will be the exact same packet in your answer for Question 3.1. Next, the sender packet will use ESP to encrypt the packet. After this packet is encrypted, what does the packet look like? Please draw the whole packet and mark the fields that are encrypted.
Next, Alice's message sender program will apply the AH protocol so that all IP spoofing attacks and message replacement attacks can be defeated. To compute the hash, which part of the packet resulted from Question 4.1 will be used as the input?
After the hash is computed by Alice's message sender program, the hash will be included in which part of the packet sent out from Alice's desktop?
After a while, the packet will arrive at the VPN router on site 2. Will the VPN router decrypt the packet? Why?
After a while, the packet will arrive at Bob's desktop. Is it possible for Bob to decrypt the packet and get the message before the AH header is verified? Why?
After the packet arrives at Bob's desktop, please give a step-by-step answer on how the AH header is verified by the receiver program running on Bob's desktop.
During the whole process from (4.1) to (4.6), where is the IKE protocol used?