Download the full version of the ebook at

https://ebookgate.com

Wireless Internet Security Architecture and

Protocols 1st Edition James Kempf

https://ebookgate.com/product/wireless-internet-
security-architecture-and-protocols-1st-edition-
james-kempf/

Explore and download more ebook at https://ebookgate.com

 Recommended digital products (PDF, EPUB, MOBI) that
you can download immediately if you are interested.

Wireless Mobile Internet Security Second Edition Man Young

Rhee(Auth.)

https://ebookgate.com/product/wireless-mobile-internet-security-
second-edition-man-young-rheeauth/

ebookgate.com

RFID and Sensor Networks Architectures Protocols Security

and Integrations Wireless Networks and Mobile
Communications 1st Edition Yan Zhang
https://ebookgate.com/product/rfid-and-sensor-networks-architectures-
protocols-security-and-integrations-wireless-networks-and-mobile-
communications-1st-edition-yan-zhang/
ebookgate.com

Wireless Internet Crash Course 1st Edition Roman Kikta

https://ebookgate.com/product/wireless-internet-crash-course-1st-
edition-roman-kikta/

ebookgate.com

Internet architecture and innovation 1st Edition Barbara

Van Schewick

https://ebookgate.com/product/internet-architecture-and-
innovation-1st-edition-barbara-van-schewick/

ebookgate.com
Internet security and firewalls 1st Edition V. V. Preetham

https://ebookgate.com/product/internet-security-and-firewalls-1st-
edition-v-v-preetham/

ebookgate.com

Wireless Security and Cryptography Specifications and

Implementations 1st Edition Nicolas Sklavos

https://ebookgate.com/product/wireless-security-and-cryptography-
specifications-and-implementations-1st-edition-nicolas-sklavos/

ebookgate.com

Practical UNIX and Internet Security 3rd ed Edition

Schwartz

https://ebookgate.com/product/practical-unix-and-internet-
security-3rd-ed-edition-schwartz/

ebookgate.com

Protocols and architectures for wireless sensor networks

1st Edition Holger Karl

https://ebookgate.com/product/protocols-and-architectures-for-
wireless-sensor-networks-1st-edition-holger-karl/

ebookgate.com

Wireless Technology Protocols Standards and Techniques 1st

Edition Michel Daoud Yacoub

https://ebookgate.com/product/wireless-technology-protocols-standards-
and-techniques-1st-edition-michel-daoud-yacoub/

ebookgate.com
This page intentionally left blank
Wireless Internet Security
Architecture and Protocols

Starting from a foundation in the tools of network architecture development and crypto-
graphic algorithms, this text approaches wireless Internet security from the position of
system architecture. The focus is on understanding the system architecture of existing
Internet security protocols used widely in wireless Internet systems, and on developing
architectural changes to counter new threats.
The book begins with an introduction to the topics of security threats in wireless
networks, security services for countering those threats, and the process of defining
functional architecture for network systems. Examples of cryptographic algorithms are
included, and the author goes on to discuss examples of wireless Internet security
systems such as wireless network access control, local IP subnet configuration and
address resolution, IP mobility, and location privacy. Each chapter describes the basic
network architecture and protocols for the system under consideration, the security
threats faced, a functional architecture for the security system mitigating the threats,
and the important Internet protocols that implement the architecture. The text is an ideal
resource for graduate students of electrical engineering and computer science, as well
as for engineers and system architects in the wireless network industry.

James Kempf is a Research Fellow at DoCoMo Labs USA and has been active in
systems and software research since he was awarded his Ph.D. in Systems Engineering
from the University of Arizona in 1983. Prior to his current position, Dr. Kempf worked
at Sun Microsystems for 13 years, where he was involved in a variety of research
projects, including, in 1994, a prototype of a SPARC-based tablet computer with early
802.11 supports. His research interests include wireless Internet security, new Internet
architectures, and immersive user interfaces for wireless terminals.
Wireless Internet Security
Architecture and Protocols

JAMES KEMPF
DoCoMo Labs USA
CAMBRIDGE UNIVERSITY PRESS
Cambridge, New York, Melbourne, Madrid, Cape Town, Singapore, São Paulo

Cambridge University Press

The Edinburgh Building, Cambridge CB2 8RU, UK
Published in the United States of America by Cambridge University Press, New York

www.cambridge.org
Information on this title: www.cambridge.org/9780521887830
© Cambridge University Press 2008

This publication is in copyright. Subject to statutory exception and to the

provision of relevant collective licensing agreements, no reproduction of any part
may take place without the written permission of Cambridge University Press.
First published in print format 2008

ISBN-13 978-0-511-43726-7 eBook (EBL)

ISBN-13 978-0-521-88783-0 hardback

Cambridge University Press has no responsibility for the persistence or accuracy

of urls for external or third-party internet websites referred to in this publication,
and does not guarantee that any content on such websites is, or will remain,
accurate or appropriate.
 Contents

Preface page vii

Acknowledgements x

1 Security basics 1
1.1 Importance of a threat analysis 2
1.2 Classes of threats 5
1.3 Classes of security services 8
1.4 Supporting security systems 10
1.5 Summary 19

2 Network system architecture basics 21

2.1 The role of architecture in network system standardization 21
2.2 The functional architecture approach 23
2.3 Example functional architecture for a simple wireless system 26
2.4 Functional architecture for network security systems 28
2.5 Example functional architecture for a wireless security system 30
2.6 Summary 34

3 Cryptographic algorithms and security primitives 35

3.1 Replay protection algorithms 36
3.2 Message digests and cryptographic hash functions 37
3.3 Shared key encryption 42
3.4 Public key algorithms 48
3.5 Key provisioning 51
3.6 Summary 55

4 Wireless IP network access control 57

4.1 Wireless network usage models 58
4.2 Threats to wireless network access 59
4.3 Functional architecture for network access control 60
4.4 Subscription-based design 72
vi Contents

4.5 Hotspot design 85

4.6 Summary 91

5 Local IP subnet configuration and address resolution security 93

5.1 Impact of the IP routing and addressing architecture on mobility 93
5.2 Review of local IP subnet configuration and address resolution protocols 96
5.3 Threats to local IP subnet configuration and address resolution 103
5.4 Functional architecture for local IP subnet configuration and address
resolution security 106
5.5 Security protocols for address resolution, address autoconfiguration, and
router discovery 113
5.6 Security protocols for Local Subnet Configuration Server access 125
5.7 Summary 128

6 Security for global IP mobility 130

6.1 Review of IP mobility architecture and protocols 131
6.2 Threats to Mobile IP security 135
6.3 Functional architecture for Mobile IP security 138
6.4 The IP Security (IPsec) protocol 147
6.5 Return routability 162
6.6 The limits of security architectures: the example of Mobile IP 166
6.7 Summary 167

7 Location privacy 169

7.1 Threats against privacy and location privacy 170
7.2 Security protocols for privacy in IP communication 172
7.3 Security protocols for location privacy in the wireless Internet 176
7.4 An architectural approach to location privacy 181
7.5 Summary 197

References 199
Index 202
Preface

Wireless Internet Security: Architecture and Protocols approaches wireless Internet

security from the direction of system architecture. A system architecture is essentially
a high-level blueprint that guides the detailed design, implementation, and deployment
decisions that result in a real, usable system, just like the architectural plans for a building
guide its construction. Architectures serve as tools for understanding how to design and
evolve a complex information technology system. Architectures are regularly developed
by wireless standardization bodies to guide the development of interoperable, standard-
ized protocols on interfaces between equipment provided by multiple vendors, including
wireless devices used by consumers. Corporations often provide architectures as guide-
lines for customers, describing how their products fit together with other equipment to
provide solutions for their customers’ information technology problems.
In the field of wireless security, the architectural approach has been neglected. This
neglect is partially a result of the case-driven nature of network security. Most security
systems have been developed in response to specific attacks that surface after the system
has been deployed, rather than as a planned part of the initial system development
process. Indeed, the original Internet architecture had almost no provisions for security.
Internet users were assumed to be members of a co-operative community that would
never attempt actions on the Internet harmful to others’ interests. This approach is
changing slowly, as system designers begin to internalize the disastrous results of grafting
security onto a system after a successful attack has compromised the original design.
The other part of the book title, “wireless Internet,” is a somewhat broad term that
covers two different types of radio links. One type, cellular links, tends to require large
and deep wired access networks behind the radio link that utilize specialized protocols
to manage the radio link in very detailed and radio protocol-specific ways. Cellular link
protocols are quite different from the types of link layer protocols on which the Internet
Protocol (IP) has traditionally run. The other type of radio link, noncellular links, does not
in principle require deep radio access networks, though some noncellular protocols have
introduced them as an optimization for better functioning. These kinds of links are more
similar to the traditional types of wired link protocols on which IP runs. In addition,
as of this writing, the current generation of cellular systems now widely deployed,
3rd generation systems, includes system interfaces which run traditional telephony
protocols that are not from the Internet protocol suite or which run modifications of
Internet protocols that are different from other systems. In selecting technical material
to cover, I needed to make a decision about where the text should focus, and I chose
viii Preface

to emphasize the use of protocols from the Internet protocol suite on noncellular radio
links. These types of systems tend to have cleaner architectures and are therefore easier
to understand and draw lessons from that can then be applied to more complex systems,
such as cellular. Merging the Internet and cellular networks has been a more complex
and challenging task than anyone thought it would be when the effort started ten years
ago, but the next generation of cellular systems, the All-IP Network or AIPN currently
under standardization, should eliminate most of the legacy telephony protocols and come
much closer to the goal of having cellular networks fully support the Internet protocol
suite.
In this book, Chapter 1 discusses some fundamental issues in security for any net-
work system: security threats, how to assess threats, and basic solutions and services
to mitigate threats. Chapter 2 presents the functional architecture approach as a tool
for developing an architecture for wireless security systems. In Chapter 3, the cryp-
tographic and other security algorithms important for Internet protocol standards are
reviewed. Chapters 1 through 3 present introductory material and can be skipped by
those knowledgeable about the topics discussed. Chapter 4 develops an architecture for
wireless network access authentication systems and describes two standardized system
designs in widespread deployment – AAA server based and hotspot – and the proto-
cols associated with the designs. The material in Chapter 4 illustrates how a security
architecture can be instantiated into different system designs depending on the specific
implementation and deployment needs. Chapter 5 discusses the security architecture
and protocols involved in local IP subnet configuration systems that allow wireless hosts
to securely configure an IP address and other information necessary to begin obtaining
Internet routing service when they move to a new geographic area. Chapter 6 presents
the security architecture and protocols for global IP mobility. Chapter 6 also shows the
limits of the architectural approach. Like other information systems technology areas,
a good architecture and system design do not help if the implementation introduces
bugs. Security flaws can crop up at any point in the design, implementation, and deploy-
ment process. Finally, in Chapter 7, a security threat very specific to wireless networks,
namely compromise of location privacy, is discussed. Chapter 7 illustrates how a basic
architectural change can solve a security problem in a cleaner way, at the expense of
deep and possibly expensive changes in implementation and deployment.

Throughout the book, I have attempted to maintain a level of detail for algorithms
and protocols sufficient to provide good understanding of how the respective algorithm
or protocol works, without overwhelming the reader. Certainly, any implementation
effort should consult more comprehensive sources. While an introductory undergrad-
uate course in network security is helpful to provide more depth, consultation of the
references for additional information should be sufficient to provide background on the
security algorithms. Knowledge of the basic Internet protocol suite, such as TCP and
DHCP, and some familiarity with mobility protocols, such as Mobile IP, is assumed.
Chapters 4 through 6 review the background on the architecture of the underlying
protocols and systems prior to discussing the security architecture and protocols for
wireless systems. In Chapter 7, some knowledge of IP routing is required in order to
 Preface ix

understand how the location privacy architectural enhancements work. Most of these
topics are covered in introductory undergraduate networking courses.
Each chapter after the introductory material in Chapters 1 through 3 follows a similar
pattern. A particular subsystem important to the functioning of wireless networks is
introduced with a review of the architecture and protocols that have been standardized
to implement the subsystem. This is followed by a threat analysis and the develop-
ment of a functional architecture independent of the specific standardized protocols but
modeling their functionality. Interfaces are then defined between functional elements,
and an overview of the standardized security protocols on those interfaces is presented.
Chapter 7 is slightly different, due to the lack of any comprehensive standardized archi-
tecture or protocols for location privacy. Instead, the results of a research study in how
to modify the IP routing and forwarding architecture are expanded into a functional
architecture for location private addressing. The goal of the book is to provide an under-
standing of the underlying design principles for wireless Internet security systems to
students and others seeking to know more about how current systems are designed, as
well as a useful guide for designers and system architects modifying existing systems
or developing new ones.
Acknowledgements

This book grew out of a tutorial I presented at the Croucher Foundation Advanced
Study Institute on Cryptography, December 2004, in Hong Kong, on the current state
of wireless Internet security protocols. The meeting gave me an opportunity to meet
with other researchers in wireless security and compare notes on the state of the art and
where the field was going. I would like to thank the Croucher Foundation organizers,
in particular Dr. Frances Yao of City University, Hong Kong, for the opportunity to
participate in the meeting. Minoru Etoh, Eisuke Miki and Kazuo Imai, CEOs of Docomo
Labs USA and my managers over the three years of intermittent effort required to write
this book, were incredibly supportive in what turned out to be a very difficult and
demanding task, much more difficult than I envisioned when I started writing. I would
like to thank them for that support. I’d like to thank Marcelo Bagnulo and the University
Carlos III of Madrid for the opportunity to give a one week seminar in June 2007 on
Chapters 1 through 4. The interaction with the seminar attendees helped me refine the
material in these chapters. I would also like to thank my dedicated reviewers, Erik
Guttman, Cedric Westphal, and Renate Kempf, for their efforts in reviewing the book
before it was submitted for publication. Any errors are of course my own but their
work has helped immensely to improve presentation, understandability, and technical
accuracy. Finally, I would like to thank my colleagues at the Internet Engineering Task
Force and the Internet Architecture Board for many years of stimulating and informative
discussion on the technical topics surrounding wireless Internet security and Internet
standards in wireless and mobile networks.
1 Security basics

The Internet was originally developed with little or no security. As a government-

run test bed for academic research, the user community was co-operative and nobody
considered the possibility that one user or group of users would undertake operations
harmful to others. The commercialization of the Internet in the early to mid 1990s
resulted in the rise of the potential for adversarial interactions. These interactions are
motivated by various harming concerns: the desire for profit at others’ expense without
providing any offered value, the need to prove technical prowess by disruption, etc. The
introduction of widespread, inexpensive wireless links into the Internet in the late 1990s
led to additional opportunities for disruption. Unlike wired links, wireless links know
no physical boundaries, so physical security measures that are effective for securing the
endpoints where terminals plug into wired networks are ineffective for wireless links.
Some initial attempts to secure wireless links had the opposite effect: providing the
appearance of security while actually exposing the end user to sophisticated attacks.
Subsequently, wireless security has become an important technical topic for research,
development, and standardization.
In response to the rise of security problems on the Internet, the technical community
has developed a collection of basic technologies for addressing network security. While
there are special characteristics of wireless systems that in certain cases distinguish
wireless network security from general network security, wireless network security is a
subtopic of general network security. Many of the same problems, design approaches,
and even protocols that have been developed for wired network security can be applied
to wireless network security too. This chapter discusses the background topics that are
important in any discussion of network security. Specifically, in this chapter we discuss
the importance of a threat analysis to good security architecture, and we review different
classes of threats to network security that are important for wireless networks as well. We
then review the general classes of security services that are available to help mitigate the
threats. These services are each associated with specific cryptographic algorithms, which
we review in Chapter 2. Finally, we discuss additional security systems that provide
support for the security services. In some cases, these systems are also associated with
particular algorithms discussed in Chapter 2. This chapter serves as a foundation for
later application specifically to wireless networks.
2 Security basics

1.1 Importance of a threat analysis

Network security protocols are necessary on the Internet because some people are
motivated to exploit or disrupt communications for financial gain or simply to prove
their technical ability to do so. In addition, communications between two parties might
sometimes be sensitive or involve money changing hands, in which case both parties to
the communication have an interest in security. While these points might seem obvious
now, they certainly were not obvious to the original designers of the Internet, since no
security was incorporated into the original Internet architecture. Until the Internet was
commercialized in the mid 1990s, nobody took security seriously in protocol design,
with the exception of government agencies that used the Internet protocol for defense
and intelligence purposes and researchers interested specifically in cryptography and
other security topics.
Security problems usually result from network protocols or systems that contain
opportunities for unauthorized or disruptive activity in their design. An opportunity
presented by a particular network protocol or system for an unauthorized party to disrupt,
harm, or exploit the network communications of two legitimately communicating parties
constitutes a threat against the protocol or system. A particular sequence of protocol
messages and computations which successfully exploits such an opportunity is an attack.
Much of network security involves identifying threats, figuring out how attacks can be
mounted, and then designing fixes to protocols – or, even better, incorporating security
into protocol designs before they are finalized – to thwart attacks.
For network systems in general, two important steps in developing an architecture
and designing the protocols are to define the problem and to list the characteristics of
an acceptable solution. Without a clear and concise problem statement, it is hard to
develop an architecture or design a protocol, because a network system, like any other
work of engineering, is a designed object that is meant to address a specific problem.
For example, the original design of the Internet architecture solved the problem of how
to interconnect many different kinds of incompatible network link types, like Ethernet,
ATM, etc. Once the problem is defined, a list of characteristics for an acceptable solution,
often called requirements, serves to limit the solution space in order to direct design
energy toward the most promising architectural solution. Without requirements, much
time and energy can be wasted on adding features to the architecture that are marginally
useful, or critical features can even be overlooked. Requirements also serve to highlight
engineering tradeoffs – where sets of features are in conflict – and therefore where
compromises must be made in the design in order to come up with something that really
can be implemented and deployed. The equivalent activity for security – identifying the
threats and figuring how attacks can be mounted – is called a threat analysis.

1.1.1 How to conduct a threat analysis

In most cases, a threat analysis starts from an existing architecture, protocol or system
design. Ideally, the threat analysis should begin when the underlying network system
 1.1 Importance of a threat analysis 3

architecture is complete but before protocol design has started. Starting prior to that
is difficult, because it is hard to spot opportunities for attacks if the basic functions of
the underlying system are still unknown. A threat analysis may result in changes to the
underlying network system architecture, but changes in the network system architecture
prior to protocol design are typically not difficult. Waiting until the protocol design is
complete – which was all too often the case for older protocols that were not designed
based on a good security architecture – runs the risk of having to go back and make
major changes in the system architecture to enable a more secure protocol design or
accepting compromises in the security imposed by existing implementations.
A threat analysis is conducted by finding opportunities for disruption or compromise
of communication. The following factors in a network architecture, system, or protocol
contribute to generating threats:
r An unprotected function in the architecture, protocol, or system design, implementa-
tion or deployment that offers a dedicated and knowledgeable opponent an opportunity
to attack. An example of such a weakness is a sensitive communication between two
parties that is conducted in the clear, so that it can be interpreted by an eavesdropper.
r A weakness in the protocol or system design, implementation, or deployment that
allows inadvertent disruption of communications, where the disrupting party is actu-
ally not intending to attack. Inadvertent disruption factors are typically not architec-
tural in nature, since they usually arise from unanticipated bugs in a protocol or system
design. An example is using a transport protocol without built-in congestion control
that does unrestricted retransmission without any backoff. Such a protocol could result
in severe congestion if many terminals started transmitting at once, denying service
to other applications and terminals on the network.
r Some basic parts of the network infrastructure can be attacked in crude and simple
ways that cannot realistically be defended against. For example, an attacker could
open the door of a microwave oven in an 802.11b wireless LAN cell, disabling any
wireless LAN communications for some radius around the microwave oven because
both 802.11b and microwave ovens use approximately the same radio frequency.
Architectural solutions are not always the best way to handle a threat. For example, in
the case of an 802.11 microwave oven attack, the defense is to find the microwave oven
and close the door. The alternative solution of locking up all the microwave ovens in the
building and requiring some kind of credentials check to use them is unrealistic and not
really commensurate with the threat. This is an example of how a threat can be handled
as part of the network system deployment. If the threat is not architectural in nature,
then architectural solutions are obviously not the right way to address it. For example,
if an application protocol uses a transport protocol without backoff for retransmission,
the solution is to modify the protocol design to include proper backoff.
After threats have been identified, the next step is to generate some realistic assump-
tions about the nature of the attacker. If the assumptions are too lax, serious threats may
be overlooked leading to attacks when the protocol or system is deployed. On the other
hand, if the assumptions are too strict, the security solution may be overengineered for
the actual threat. Most publicly visible mistakes in assumptions about the attacker tend
4 Security basics

to be on the lax side, since these tend to result in spectacular and widely published
security failures when products are deployed and someone manages to crack the secu-
rity. Assumptions on the too strict side usually delay a product’s deployment, cause cost
overruns, or require users to jump through so many unnecessary security hoops that the
product fails from a usability standpoint. These failures tend to look less like security
failures and more like failures in engineering management and product design.
A standard assumption about the attacker when conducting a threat analysis is that
the attacker is able to see all traffic between legitimate parties to the protocol. While
this assumption may not be true for most wired networks, it is almost always true for
wireless networks. Given that, the next assumption is that the attacker can alter, forge,
or replay any message they have intercepted. This allows the attacker to impersonate
one of the legitimate parties or otherwise attempt to get the legitimate parties to do what
they want. The attacker is also assumed to be able to reroute messages to another party,
so that the attacker can team up with others to increase the computational and network
power available. Finally, the attacker is assumed to have the ability to compromise cryp-
tographic material used to secure traffic if the cryptographic material is sufficiently old.
The safe age depends on the type and strength of the cryptographic material. Assump-
tions about the identity of the attacker are also important. Many attacks are perpetrated
by insiders who are known and authorized users, but who misbehave unintentionally due
to compromise of their terminals by viruses or malware or perhaps intentionally due to
some unknown motivation. A threat analysis cannot assume that known users will never
be a threat.
The amount of knowledge and resources available to the attacker typically determine
whether the attacker can exploit a particular opportunity for attack, and therefore which
threats should have priority for mitigation. It is never wise to assume that an attack
can be deterred by keeping the attacker in ignorance about how a protocol works. Most
attackers, if they are motivated to attack at all, are willing to expend the time and energy
necessary to understand how to make their attack successful. Such security by obscurity
is an invitation to attackers to crack the protocol or system, and thereby gain an enhanced
reputation in “black hat” (bad guy) circles for their cleverness. On the other hand, increas-
ing the amount of resources necessary to mount an attack – so that a successful attack
becomes difficult or impossible to mount with a commonly available set of resources –
is a legitimate and often-used method of deterring an attack. As we will see in the next
chapter, it is actually the basis of mathematical cryptography. However, since computing
power is constantly increasing and new mathematical understanding occasionally causes
old cryptographic algorithms to become easily breakable, any defense based on increas-
ing the amount of resources by a finite amount must consider where the boundary for
a successful attack lies. Architectures and protocol designs that incorporate flexibility
for strengthening cryptographic parameters and algorithms, or increasing the computa-
tional power necessary to compromise a system should the boundary be reached are an
important way of ensuring that designs keep current.
An important consideration when performing a threat analysis is to clearly identify
the value of the threatened activity or the severity of the disruption. If the value of the
activity is low or the severity of the disruption is slight, measures to counteract the threat
 1.2 Classes of threats 5

should be similarly lightweight. However, care should be taken when making value
judgments in this manner, since sometimes threats that are considered unlikely or minor
become more important as a protocol or system is more widely deployed. Sometimes,
threat mitigation measures are not intended to remove the possibility of attack entirely,
but just to reduce the threat to a level that existed before the protocol or system was
developed. Of course, this doesn’t help solve the underlying problem in the deployed
protocols or systems, but sometimes such mitigation to existing threat levels is the only
realistic choice, given implementation and deployment constraints.
The process of conducting a threat analysis is unfortunately very heuristic and not
very quantitative. A successful threat analysis is best conducted by donning the mindset
of the attacker. The person conducting the analysis needs to ask in what clever and
creative ways the particular functioning of the protocol or system can be disrupted. In
the rest of the chapter, we will discuss some generic classes of threats and the security
services that have evolved to counter them. Looking for these classes of threats is a good
starting point when conducting a threat analysis. In Chapter 2, we discuss in more detail
how a threat analysis is incorporated into the process of developing a security system
architecture.

1.2 Classes of threats

While every network protocol or system has particular characteristics that render it more
or less susceptible to attack, a few basic classes of attacks are repeated with various per-
mutations in different circumstances. The basic threat classes apply to wireless networks
as well. The basic threat classes are:
r replay threat
r eavesdropping and spoofing
r man-in-the middle (MitM) threat
r denial-of-service (DoS) threat.

Network security architectures, protocols, and systems have evolved to counter attacks
based on these threats using various kinds of cryptographic and other security algorithms.
In this section, we briefly examine each class of threat.

1.2.1 Replay threat

A replay attack occurs when the attacker is able to capture traffic from one party and
replay it to another, causing the targeted party to perform actions as if the traffic had
been received from a legitimate sender. Replay attacks are often coupled with other
attacks, such as man-in-the-middle attacks or denial-of-service attacks. In the first case,
the replayed traffic is captured due to the attacker’s position as a man in the middle. In
the second, the replayed traffic is used to take advantage of a flaw in the protocol design
or implementation which makes the protocol vulnerable to denial of service.
6 Security basics

1.2.2 Eavesdropping and spoofing

Eavesdropping occurs when an attacker that is not a legitimate party to a conversation
manages to obtain the contents of traffic between the legitimate parties. The attacker
can somehow listen in on the conversation between the parties and use the information
it gains. Eavesdropping is primarily a passive activity; the attacker does not engage in
a packet exchange with any of the legitimate parties while eavesdropping. The attacker
extracts the information of interest from the overheard packet exchange. However, in
order for the attacker to set up so that it can eavesdrop, the attacker may have to perform
some kind of active packet exchange with the legitimate parties to the conversation or
with other parties.
Spoofing means an attacker poses as a legitimate party for the purpose of tricking other
legitimate parties into revealing compromising information, stealing service, or for other
illegitimate purposes. One reason an attacker may spoof is to enable eavesdropping.
Spoofing is typically an active attack, in which the attacker must exchange packets with
the local router or a terminal in order to establish its fake identity. Once the identity is
set up, the victim begins the network conversation and the attacker is free to manipulate
the victim however they see fit.

1.2.3 Man-in-the-middle threat

Man-in-the-middle (MitM) attacks occur when the attacker manages to position them-
selves between the legitimate parties to a conversation. The attacker spoofs the opposite
legitimate party so that all parties believe they are actually talking to the expected other,
legitimate parties. A MitM attack allows the attacker to eavesdrop on the conversa-
tion between the parties, or to actively intervene in the conversation to achieve some
illegitimate end.
MitM attacks are relatively uncommon in the wired Internet, since there are very few
places where an attacker can insert itself between two communicating terminals and
remain undetected. For wireless links, however, the situation is quite different. Unless
proper security is maintained on wireless last hop links, it can be fairly easy for an
attacker to insert itself, depending on the nature of the wireless link layer protocol.

1.2.4 Denial-of-service threat

Denial of service (or DoS) occurs when an attacker attempts through some means to
reduce the ability of a network or server to provide service to legitimate users. The
nature of such attacks can run from crude to extremely sophisticated. For example, in an
802.11b or g (WiFi) wireless network, a crude DoS attack can be mounted by breaking the
safety interlock on a microwave oven, then opening the door and starting up the oven.
The radio noise generated by the microwave, which operates on the same frequency
as the 802.11b and g wireless protocols, will overwhelm the signal from the access
points. The threat from microwave ovens is fairly easy to counter, however, since the
attacker and the oven must be physically located near the access point to perpetrate the
 1.2 Classes of threats 7

attack, and therefore can presumably be quickly found. Other types of DoS attacks listed
in the following subsections, are harder to detect because the attacker can be remote.

Bombing attacks
A more serious but still crude attack is when the attacker bombards a network or server
with packets designed to increase network utilization and thereby decrease throughput.
Such an attack is especially effective if the attacker controls a network of machines,
called zombies, throughout the Internet that have been compromised using viruses or
spyware. The attacker can then instruct the machines to target a specific website or other
service in order to blackmail the owner or otherwise extract some illegitimate benefit.
The zombies allow the attacker to perpetrate the attack without exposing its identity,
making the attacker difficult to track down. The only currently known way to handle
such distributed denial-of-service attacks (DDoS attacks) is to provision the server or
network with enough spare capacity so that some legitimate users can always get service,
perhaps at a reduced level, or leave some capacity in reserve to be switched on for such
situations.

Protocol bugs and DoS attacks

More sophisticated DoS attacks exploit particular weaknesses in protocol design. For
example, consider a client-server protocol that takes requests from initially unknown
clients, then replies to authenticate the client and set up a session. If the server maintains
any outstanding state between the initial request from the unknown client and subsequent
responses, the server can be subject to a storage depletion attack. The attacker continually
sends the protocol initiation messages from different IP addresses without actually
continuing the protocol. At some point, the server may run out of storage for the state
and be unable to respond. The solution to such an attack is to design the protocol so that
the server does not maintain any outstanding state from the client until the client has
been authenticated. Note that this attack is not really specific to wireless networks.

Redirection attacks
A particular kind of DoS attack, called a redirection attack, is a consideration in the
design of wireless protocols. A redirection attack occurs when the attacker sets up a
session with a server for a large bandwidth data flow, such as streaming video, then
redirects the attack at a victim whose network connection or device does not have the
bandwidth to handle the flow volume. The victim’s network connection is overwhelmed
by the traffic and legitimate service grinds to a halt.

Address spoofing
Finally, another attack that is not specific to wireless networks but easier to perpetrate
there and therefore more common on wireless networks is address spoofing. The protocol
used by IP networks on the last hop for routing has traditionally not been secure, because
wired networks have in the past typically operated in situations where physical security
or difficulty of access (as for example in dial-in networks) have made attacks unlikely.
This protocol allows a router to map an IP address to a link layer address, so that the
8 Security basics

router can deliver the packet directly to the terminal’s interface card through the link
layer. However, because the protocol is not secure, it is possible for an attacker on the
same link to claim to own the IP address. The router then ends up sending packets to the
attacker instead of to the legitimate owner of the address.

1.3 Classes of security services

With the exception of DoS attacks, security services have been developed to counter the
threats discussed in the previous section. Security services have many uses in general
network security, and are an important part of wireless network security too. For example,
unlike wired networks, in a wireless network, any properly configured device within
the broadcast radius of a wireless access point can hear the communication between a
wireless device and the wireless access point. Depending on the wireless link protocol, an
eavesdropping attacker may be able to easily decode the communication and respond as
the victim. If a sender on a wireless link wants to prevent eavesdropping, the messages
sent and received over the link must include proof of origin to provide data origin
authentication, must be encrypted to provide confidentiality protection, and must be
protected against replay to avoid use of a previous message by an adversary. These are
the basic security service classes. For DoS attacks, most mitigation measures focus on
deployment or network management, with the exception of protocol design measures that
limit opportunities for DoS. Since DoS attacks exploit some very deep and fundamental
properties of the Internet architecture, they are hard to mitigate with specific system
architectural measures. Most DoS attacks are also not specific to wireless networks, so
they are not discussed further in the book unless they are related to specific protocol
design issues.

1.3.1 Data origin authentication

Data origin authentication is the process by which a receiver of a message is able to
prove that the message originated from the reputed sender, and that the contents of the
message were not altered en route. Data origin authentication is done for every packet in
a protocol conversation if the two parties want to make sure that they are talking to each
other and that no packets are modified in transit. Sometimes data origin authentication is
called integrity protection, emphasizing the second aspect, proving that the message was
not altered, rather than the first, proving that the message originated from the reputed
sender.
Data origin authentication requires cryptographic techniques in order to construct
the proof of origin. The cryptographic techniques require that the two parties to the
conversation possess cryptographic material that allows one party to construct a proof of
authenticity and allows the other party to check it. The cryptographic material is usually
in the form of a cryptographic key or keys. Later in this chapter, we discuss keys and
their distribution.
Another random document with
no related content on Scribd:
 “A little,” replied she, and then smiling at herself, she added, “you
must not laugh at my very young-lady-like answer. In my case it is
simply the truth.”

“I should like to hear you, and then I can judge,” he said.

And without giving Cissy time to invite him to come to her house,
for the purpose of criticising her guest’s singing, he exclaimed
hurriedly, “I really must not keep you standing. Good morning, Mrs.
Archer, I am sorry I have forfeited your good opinion.” And so left
them.

“Well, Marion,” said Cissy, “though I thought him so nice the other
day, I cannot say that I think so now. He is very rough and ill-
tempered.”

“But Cissy, you teazed him on purpose. I think you deserved what
you got.”

“You are an impertinent little cats Miss Freer,” replied her cousin.
After which relief to her feelings, Mrs. Archer recovered her good
humour, and they spent an amicable evening. This was the day
before Sybil’s birthday. There had been some slight discussion,
consultation rather, between Lady Severn and her niece, as to the
advisability of inviting the daily governess to make one of the party
to Berlet. But as Lady Severn wished to pay some attention to Mrs.
Archer, and it would have been awkward to invite that lady without
the young girl whom she evidently looked upon as a valued friend
and guest, it was decided that the invitation should include Miss
Freer. The children would have rebelled had their dear Miss Freer
been left out; indeed they would naturally enough have looked upon
such an omission as a gross breach of promise, as their governess
had been asked to make one of the previous expedition, which the
weather had put a stop to.

“Still, dear aunt,” suggested Florence the sensible, “I think for

every sake, her own especially, it is well to show that she is invited
as the children’s governess. Of course, had she been governess to
any one else, the mere fact of her staying in Mrs. Archer’s house
would not have made it necessary for you to notice her.”

“Of course not, my dear,” replied Lady Severn; “but how can I
draw the distinction? I quite agree with you about it but I don’t see
how it is to be done.”

“It is difficult, certainly,” said Florence, “that is the worst part of a

somewhat anomalous position, like Miss Freer’s. I am glad she is
coming to-morrow, for I am anxious for the children’s sake to get to
know her a little better. I have gone into the schoolroom now and
then, but I am so afraid of seeming to interfere in any way.”

“It is very kind of you, my dear, to take such an interest in the

children. Miss Freer could not possibly think any such kindness on
your part, interference,” replied Lady Severn.

“Well, I don’t know. It is better not to risk it. Besides, I really

think Lofty and Sybil are getting on very well with her. But do you
know, aunt, I can’t quite make her out. She is inconsistent
altogether. Her manners, her general appearance, her dress even,
are not the least like what one expects in a girl brought up to be a
governess.”

“I have not observed any inconsistency of the kind,” said Lady

Severn, “but I dare say my eyes are not so quick as yours. The only
time I can really say I had any conversation with her was the first
day she called, when she appeared a gentle, modest young person.
I understood her to say that her family had met with misfortunes,
which had led to her becoming a governess. These things happen
every day you know, my dear, in the middle classes. Rich one day
and poor the next! But to return to our plans for to-morrow. What
arrangement do you think will be best about Miss Freer?”

“I was thinking,” said Miss Vyse, “that it might be as well if Miss

Freer were to come as usual, at half-past nine, and start from here
in the same carriage as the children. You, dear aunt, might propose
to call for Mrs. Archer on your way past her house, which would save
her the fatigue of the walk here in the first place.”

“Yes,” said Lady Severn, “that will do very well. Knowing that
Charlotte and Sybil are with their governess, I shall feel comfortable
about them. I must consult with Ralph about the carriages. There
are our own two, and Mr. Chepstow has offered any of his we like.”

For Mr. Chepstow had called at the Rue des Lauriers, and been
graciously received by the dowager and her fascinating niece.

It was part of Florence’s worldly wisdom always to be civil to

people in the first place. Time enough to snub and chill them if they
turned out useless, or not worth cultivating further. Easier, far, to do
this than to undo the prejudicial effects of a haughty or freezing
manner on first introduction. And in the present case, that of Mr.
Chepstow, if he were only half, or even a quarter, as rich as report
said, he would still be well deserving of some judicious attentions—
according to Miss Vyse’s scale of judgement on such matters.

Another little téte-à-téte conversation on the subject of the Berlet

expedition took place this same Thursday evening between Mrs.
Archer and her cousin. A note from Lady Severn, explaining the
proposed arrangements for the morrow, brought the subject to
Cissy’s mind.

“By-the-by, May,” she said, “what are you going to wear to-
morrow?”

“I was thinking about it,” replied Marion, thoughtfully. “I should

like to wear that gauzy dress; white, you know, with rosebuds. It is
deliciously cool, and then my white bonnet matches it so beautifully.”

“Well and why shouldn’t you wear it?” asked Cissy; “it is a
perfectly suitable dress.”
 “Suitable, certainly, for Marion Vere, but I am by no means sure
that it is equally so for Miss Freer,” replied Marion.

“What on earth do you mean, child?” asked Cissy.

“Just what I say. As long as I have to act, what you call my farce,
I think I should do so as consistently as possible. And from some
little things Lofty Severn has told me, I am afraid I have been
careless. Miss Vyse, it appears, has remarked, in the children’s
hearing, that my dress is unbecoming to my station; and, of all
people in the world, I should least like her to begin making remarks
about me.”

“Why ‘her of all people?’ ” asked Cissy.

“I don’t know,” replied Marion. “I don’t like her, and I don’t trust
her, and that’s about all I can say. No doubt if she were finding out
about who I really am, she might do me great mischief.”

“Of course she might,” said Cissy. “But one thing I must say,
Marion: were it found out that you are not really Miss Freer, I should
feel myself bound, in your defence, to tell the whole story from
beginning to end. I could not consent to screen Harry’s part in it any
longer.”

“Harry has had no part in it,” said Marion, eagerly. “You know this
governessing scheme was most entirely my own. No one could be
blamed for it but myself.”

“H—m,” was Cissy’s reply. “I am by no means sure of that. I

should most strongly object to meeting Uncle Vere after he had
learnt my part in it! However, I should bear that, and more too,
rather than not let your conduct be seen in a proper light. But
there’s no good talking about it. I trust, most devoutly, you may
continue Miss Freer, as long as we are at Altes. I have only warned
you what I should think it right to do, in case of any fuss.”
 “Very well,” said Marion.

But the conversation was not without its result. With a girlish sigh
of regret, she put away the pretty rosebud dress, and laid out for the
morning’s wear an unexceptionably quiet and inexpensive costume
of simply braided brown-holland.

But I question much if so attired, my Marion was any less

winningly lovely than in the glistening, delicately-painted gauze. The
grey eyes looked out as soft and deep from under the shade of the
brown straw hat, as from among the flowers and fripperies of the
dainty Paris bonnet. Still, she was not so much above the rest of her
sex and age but that this called for some self-denial.

Friday morning was cloudlessly fine. The sky was of that same
even, intense blue, which had so impressed Marion on her first
arrival in the south; and as she walked to the Rue des Lauriers, the
girl felt joyous and light-hearted. She found Lotty and Sybil watching
for her. In their different ways the two children were full of delight at
the prospect of the day’s treat, and Marion felt glad that lessons had
formed no part of the morning’s programme, as such a thing as
sitting still would have been quite beyond the power of her excited
little pupils.

By ten o’clock the various carriages assembled. Lady Severn and

two middle-aged friends of hers, the English clergyman at Altes and
his wife, seated themselves in the first, and drove off to pick up Mrs.
Archer. Marion, looking out from the schoolroom window, did not
envy Cissy her long drive in such company! Then came Mr.
Chepstow’s dog-cart, driven, in the height of his exhilaration, by that
adventurous individual himself. Miss Vyse was invited to occupy one
of the two vacant seats, but, in some graceful manner, succeeded in
evading the honour. After a little consultation, Sophy Berwick,
nothing loth, took her place, followed, somewhat unwillingly—(but
then, in pleasure parties the wrong people always get together!)—by
her, so gossips said, former admirer, the cynical Erbenfeld. Next
appeared a larger, and evidently hired, carriage, already occupied by
Papa and Mamma Berwick, and a pale, worn-looking girl, whom
Marion rightly concluded to be the invalid Blanche. No one appearing
ambitious of making a fourth in this vehicle, it drove on.

Now dashed up, what penny-a-liners call, a “perfectly appointed

equipage,” driven by the handsome young Russian Nodouroff.
Seated beside him was his tutor, Mr. Price, who, however,
descended, leaving, two places to spare. Some discussion ensued as
to who should occupy them, which was ended by Captain Berwick
hoisting up a laughing, romping girl, whom Lotty informed Marion,
was Kate Bailey, the younger sister of the languishing Dora.

“She’s only two years older than I am, Miss Freer,” said Lotty,
virtuously, “and yet she goes to all sorts of parties. I’m sure I don’t
know how she ever learns any lessons.”

Vladimir’s horses growing impatient, young Berwick jumped in

after Kate, and off they set. Next drew up a pretty waggonette,
belonging to Mr. Chepstow. Into it, without hesitation, stepped Miss
Vyse and Dora Bailey, followed by the little Frenchman, De l’Orme.
But where was the fourth? In some unaccountable manner this
being, whoever he was, had disappeared. No one but Mr. Price stood
waiting to ascend. An angry toss of the head from Florence, an
impatient order to the driver, and they drove off quickly. Rather lose
the chance of the companion she had hoped for than, by longer
delay, run the risk of Mr. Price’s uninteresting society!

Lotty and Sybil were beginning to think themselves forgotten,

poor children, when a familiar voice sounded at the door.

“Now Lotty, now Sybil old woman, the carriage is coming round,
for you. Ah! Miss Freer, too!” Ralph added, as he saw her. “I beg
your pardon; I thought you were to have been picked up on the
road with Mrs. Archer. But, never mind, we shall pack in.”
 As they passed through the court-yard there stood Mr. Price,
looking somewhat disconsolate, not quite sure that he had done
right in quitting his seat by the side of his pupil, which, yet, his
shrinking modesty would not have allowed him to retain, unless all
the rest of the company had been already provided for.

“You, too, still here, Price!” exclaimed Sir Ralph. “I thought you
had been whisked off in the waggonette. However, it’s all the better!
If Miss Freer does not mind a little crowding, that’s to say?”

Miss Freer, in her sensible brown-holland, being happily careless

of crushing or squeezing, the whole party was soon comfortably
established in the roomy carriage.

Sybil’s little face wore an expression of perfect content. Lotty,

having obtained her uncle’s consent to sit beside the driver, was no
less well pleased. Her incipient airs of fine ladyism forgotten for the
time, she became the hearty, happy child nature meant her still to
be, chattering to the coachman in her broken French, and translating
his replies for the benefit of the less accomplished Sybil. Both
children really were their very nicest selves that day; and nice
children are by no means a bad addition to a party of pleasure. For
one thing, they are pretty sure to enjoy it, which is more than can
be said or their elders.

What a merry drive they had! Marion hardly recognized the silent,
melancholy Mr. Price in the agreeable, humourous man beside her.
Sir Ralph and he amused her with reminiscences of their younger
days, from time to time saddened by a passing allusion to the
brother she had already heard of. The “John” so affectionately
mentioned by Sir Ralph when speaking to Mrs. Archer.

Now and then the conversation became more general. Subjects of

public interest were broached and commented upon by the two
gentlemen, in a manner which caught Marion’s attention; for such
discussions were not as strange or incomprehensible to her as to
most girls of her age. Sir Ralph had the latest arrived English paper
in his pocket. He glanced at it as he went along, from time to time
reading out little bits for the edification of his companions. Once or
twice Marion, half unconsciously, made some remark in response to
his; remarks which showed that she knew what she was talking
about, though, probably, of no great depth or originality.

The second or third time this happened, Sir Ralph glanced at her
with a slight smile of surprise and amusement.

“Why, Miss Freer,” he said, “you must be a great newspaper

reader! You are certainly better up on that last speech on the
education question of the member for —. Bye-the-by, what place
does Vere stand for?” he asked, turning to Mr. Price, who could not
satisfy him on the point. “Never mind,” he went on “how is it you
know so much about it, Miss Freer? As I said, you are decidedly
more at home in it than Price here, and that is saying a good deal;
as I haven’t, in fifteen years, succeeded in finding a subject he was
not at home in.”

“Nonsense, my dear boy,” said Mr. Price. “You will really make me
blush, and that would look very funny on an old man like me. Would
it not, Miss Sybil?”

Oh! how grateful Marion was to the all-unconscious Mr. Price, for
thus opportunely turning the conversation!

The title of some forth-coming new book next attracted Sir

Ralph’s attention, and led to an animated discussion on the previous
works of the same author, in interest of which, Marion forgot her
embarrassment. She little knew how keenly her fresh, bright
thoughts and enquiries, uttered with perfect simplicity and self-
forgetfulness, were appreciated and enjoyed by her two
companions. Cultivated, nay even learned men, that they were, yet
not too “fusty and musty,” as Cissy had called it, to value the clear
sparkling of an unprejudiced, but not uneducated youthful intellect;
and better still, the softening, beautifying radiance of a true, gentle,
woman’s heart.

Mr. Price, as he looked at her, wondered if the little infant

daughter long ago laid to rest beside her young mother, in the far of
church-yard on a Welsh hill-side would ever, had she lived, have
grown to be such a one as the sweet, bright girl beside him.

Sir Ralph, as he looked at her, thought to himself a “what might

have been,” had he met this Marion in years gone by, before, as he
fancied, youth and its sweet privileges, were over for him.

And with these thoughts, mingled in the hearts of both her

companions, a manly pity for this young creature, apparently so
alone in the world, and already, at the age when most girls think of
nothing but pleasure and amusement, working, if not for her daily
bread, at least towards her own or her friends’ support. “For surely
no girl would be a governess if she could help it,” thought Ralph, as
ever and anon the curious, indefinable inconsistency struck him
between this girl herself and her avowed position.

“Here we are,” exclaimed he, rather dolefully, as the carriage

stopped at the little inn at Berlet, where all vehicles “arrested
themselves,” a Monsieur De l’Orme called it. The ascent of the hill,
from the top of which was the far-famed view, could only be
managed on foot or donkey-back. Some of the elderly and more
ponderous ladies had preferred the latter safe, though inglorious,
mode of conveyance, and had already set off by a more circuitous
path. The younger members of the party, intending to climb up the
most direct way, were just about starting, when the last carriage,
containing our happy little party arrived.

As Marion was stepping out, she heard herself addressed by

name:

“Miss Freer,” said a voice beside her, “I cannot understand how it

is that you and the girls came in this carriage. There must have been
some strange mistake, which you should have rectified. Lady Severn
is not a little annoyed at it, for she particularly wished you and your
pupils to come alone,” with a strong accent on the last word.

Marion turned round, her cheeks pale with the paleness that tells
of deeper indignation than quick mantling crimson.

“Miss Vyse,” she said quietly, “I do not understand you. If Lady

Severn has anything to find fault with in me, I am perfectly ready to
hear it. But—”

The words were taken out of her mouth by Mr. Price, who
standing beside her had, unawares, heard the little conversation.

“I think, indeed,” he said, “there has been some mistake. Miss

Freer took her seat in the carriage in which she was asked to place
herself. On these occasions little contre-temps are apt to occur. I
myself did a very stupid thing, for I was as nearly as possible left
behind altogether.”

Instantly Florence turned round, her face radiant with smiles:

“Oh. Mr. Price,” she said, “I hope you don’t think me so silly as to
be cross about a trifle; but you don’t know how particular Lady
Severn is in all arrangements about the children, and I was so afraid
of her thinking either Miss Freer or I had neglected her wishes.”

Mr. Price looked puzzled but said nothing.

However, he resolutely attached himself to Marion; as the party

dispersed into twos or threes, to begin the ascent.

Sybil clung to Marion, who felt some misgivings as to how the

little creature would get to the top, when a cheerful “halloo” behind
them made her glance round.
 There was Frank Berwick dragging along a reluctant donkey,
which Sir Ralph was encouraging on the other side to hasten its
movements. With a cry of pleasure little Sybil ran hack to her uncle,
who lifted her on to her steed. Hardly had he done so, when
Vladimir appeared with a pencilled note for Sir Ralph. He glanced at
it, and with a clouded face, turned to the young officer.

“Berwick,” said he, “I must go to look after some or my mother’s

other guests. Will you help with Sybil’s donkey? I any sorry to
trouble you, but unless some one leads it, she could not make it go
up this steep path.”

“Certainly,” said Frank, heartily, “you may trust me to get it safely

to the top.”

So Ralph left them. On the whole, I don’t think Frank would have
regretted if Mr. Price had done the same. But this did not appear to
be that worthy gentleman’s intention. So Captain Berwick consoled
himself by engaging Marion steadily in conversation, and thus
obliging her to walk at the other side of the donkey’s head; for she
could not have been cold or inattentive to one who was showing
such good nature to her little pupil.

At last they got to the top. Most of the party were there before
them, for the donkey’s tardiness had delayed them. There was a sort
of terrace round the cottage, or châlet rather, from which the view
was supposed to be seen in perfection. It was indeed beautiful! If
only there had not been such a crowd of people talking about it!
How the young ladies cluttered and admired, how the gentlemen
thought it their duty to agree with their observations, however
inane! All but Ralph. When Marion first caught sight of him he was
standing perfectly silent beside Florence, who was speaking to him
in a low voice, from time to time raising her beautiful, lustrous eyes
to his face, with a look half of questioning, half of appeal. It was
some mere trifle she was asking him about, but, as she watched
them, Marion thought to herself that Sir Ralph must indeed be
strangely almost unnaturally callous, to resist the fascination of such
loveliness.

Somehow she felt glad when the chorus of enthusiastic

admiration calmed down again and, the little groups dispersed.
Before long whispers of “luncheon” began to run through the party,
and they all adjourned to a smooth lawn on the other side of the
châlet, where picnic parties were accustomed to dine.

Marion found herself seated near Cissy, who looked rather tired.
She whispered to Marion: “How nice it would be if all these people
were away!”

Still, it was very amusing, on the whole. There were dignified

Lady Severn and fat Mrs. Berwick, seated on the grass, vainly
endeavouring to preserve the equilibrium of their plates and glasses.
Mr. Chepstow, in a peculiar attitude, looking more like a magnified
frog than a portly, middle-aged Englishman; and insisting, in his
exaggerated politeness, on constantly unsettling himself to fetch
something or other which he imagined some lady beside him to be
in want of.

“You have no salt, Mrs. Harper,” he exclaimed to the clergyman’s

wife. “Allow me to fetch you some. I brought some of my own,
knowing it is so often forgotten, I shall get it in a moment. It is in
the pocket of my over-coat. And up he started.

“Stay one moment, my friend,” interrupted Mons. De l’Orme;

“here is of the salt that one has not missed to bring.”

Upon which Mr. Chepstow was, with difficulty, induced to re-settle

himself.

“How charming it is, this scene,” continued the little Frenchman,

with effusion; “it must absolutely that I visit England. All that I of her
see fills me with admiration. Above all these ‘peek-neeks.’ What can
one desire of more agreeable than at the once to enjoy the delights
of the nature, the charms of the society, and the sweet allures of the
life of family.”

“Bravo! De l’Orme,” exclaimed Erbenfeld; “may I ask who assisted

you in the composition of this little oration? I strongly suspect
Chepstow had to do with it. It is in his style. Do you not think so,
Miss Sophie?” he asked of his neighbour, with whom, failing better,
he had, in a rather lukewarm manner, renewed his last year’s
flirtation.

Sophy was on the point of replying in the same strain, but,

happening to glance in Marion’s direction, had the self-control to
remain silent.

In are opposite corner Marion espied Dora Bailey, looking so

marvellously brisk and lively, that one would hardly have recognized
her. The secret of the change was soon revealed, when looking
again, Miss Freer perceived that young Berwick was her neighbour,
for poor Dora had long before this disclosed his name as that of her
chosen hero. Frank, however, did not appear to be in
correspondingly good spirits.

But everybody talked and laughed, and eat cold chicken and
drank champagne, as if they had been in England. So I suppose they
all enjoyed themselves.

After luncheon they dispersed in little parties to ramble about the

hill, one side of which was covered by a charming miniature pine-
forest. Cissy was tired, and went into the châlet to rest. Miss Vyse
and the other young ladies went off to choose pretty “bits” to
sketch, followed by their attendant gentlemen.

Marion, finding them all scattered, proposed to Lotty and Sybil to

go a little way into the forest, and there find a nice seat, where she
would tell them a story.
 Her proposal was accepted with delight, Sybil only stipulating that
they should not go far enough into the forest to meet bears or
wolves. The story extended into two or three before the children
were satisfied. Then at last they agreed that “poor Miss Freer must
be tired;” and they amused themselves by discussing the rival merits
of her narrations. “Beauty and the Beast” was Sybil’s favourite,
though she shuddered as she listened to the description of the
dreadful, though amiable monster.

Suddenly a quick step approached them, and Sir Ralph appeared.

He threw himself down beside them, exclaiming as he did so:

“I beg your pardon, Miss Freer, but I am so horribly tired. I have

been on duty all this time, and if had stayed longer, I should infallibly
have said something rude to somebody, so I ran away to avoid
getting into a scrape.”

“You’re like the Beast, Uncle Ralph,” said Lotty, oracularly.

“Like a beast!” he exclaimed. “I hope not, Lotty. What on earth do

you mean?”

“I said the Beast. We have been talking about Beauty and the
Beast, and I thought when you came growling so, you were just like
him.”

“Thank you, Lotty,” he said; “or, rather, I think I should thank Miss
Freer for the compliment, should I not? That’s what Miss Freer
teaches you, eh, Sybil? To call your poor old uncle a beast.”

Marion laughed, but Sybil looked distressed.

“Oh no, dear Uncle,” she said, “Miss Freer didn’t ever say you
were a beast. Lotty only said it because you growled. But, besides,
Uncle Ralph, didn’t you know that the Beast was very nice, really he
was, a beautiful prince at the end.”
 “Really, was he? And how did he come to be so improved?” asked
Ralph, with an air of the profoundest interest.

“Oh, because Beauty—” began Sybil.

“But who was Beauty, in the first place?” interrupted heir uncle.

“Beauty was a pretty, sweet young lady,” replied Sybil.

“Oh, indeed. Like you or Lotty, perhaps?” he suggested.

“No, oh no. Not a little girl. A young lady, Uncle. A big young lady,
like——like——oh, yes! Just like Miss Freer. A pretty, sweet young
lady, just like Miss Freer.”

“And she turned the Beast into a beautiful prince, you say? I
wonder how ever she could do that,” he said, thoughtfully.

“Can’t you guess? Well, I will tell you,” said Sybil, full of
importance. “You see, the Beast was very good and kind, though he
was ugly. And the fairy fixed that whenever any pretty young lady
would love him for being good and kind, and not mind his being
ugly, then that minute he was to turn into a beautiful prince. So the
very minute Beauty said, ‘I do love you, my dear good Beast,’ he
turned into the prince. Isn’t it a pretty story, Uncle, and don’t you
think Beauty must have been just like Miss Freer?”

“A very pretty story, indeed, Sybil,” replied he, to the first

question; but to the second he made no answer. As he lay on the
ground, however, he managed to glance up slyly to see how the “big
young lady” took all these rather personal remarks. But he did not
get much satisfaction. Marion’s face was rather graver than usual,
but for all other change in its expression, her thoughts might have
been far away, too far away to have paid any heed to the child’s
chattering.

What was she really thinking?

 The old puzzle: “I wonder how Sir Ralph and Miss Vyse get on
together!” And why from the first have I disliked the one and liked
the other?”

Ralph seemed suddenly to grow restless. He sat up and looked at

his watch, and then said it was time for them to return to their party.
So they all left their pleasant nook, considerably to their regret.

Sir Ralph stayed beside them till they were close to the edge of
the wood, helping them to climb up the steep, rough paths. Then he
hastened on before them, saying they had better follow at their
leisure. Soon after they had reached the châlet it became time to
think of rejoining the carriages.

They all descended the hill together; an easier managed business

than the ascent; and returned home as they came, except that, by
Lady Severn’s request, Marion took Mr. Harper’s seat in her carriage,
that gentleman occupying her former place, and was set down with
Mrs. Archer at the door of their own house, which was passed on
their way to the Rue des Lauriers.

So ended little Sybil’s birthday pic-nic.

 CHAPTER IX.
“DE CAP A TU SOY MARION”
“And will thee, nill thee, I must love
Till the grass grows my head above.”
TRANS. OF DES POURINNS BÉARNAIS SONGS.

“Ihre Augen waren nicht die Schönsten die ich

jemals sah, aber die tiefsten, hinter denen
man am meisten erwartete.”
WAHRHETT UND DICHTUNG.

THE weeks passed on quietly, and to outward seeming, uneventfully

enough.

Cissy and Marion grew so accustomed to their calm, pleasant, life

at Altes, that save for occasional home letters, they could have
fancied themselves permanently settled in the pretty little southern
town.
 Harry wrote frequently and very cheerfully, only bewailing, as the
Christmas holidays drew nearer, that they must be spent away from
Marion. At rarer intervals there came paternal epistles from Mr. Vere,
to which Marion always dutifully replied. Cissy, as her share, had
regular letters from her husband, who latterly had alluded to a
prospect before him of obtaining ere long a staff appointment in a
part of the country sufficiently healthy for his wife to rejoin him
there without risk.

Mrs. Archer was in great spirits at this news, and chattered away
about returning to India, as if it were the most easily managed little
journey in the world. But Marion, as she looked at her, felt certain
vague misgivings. She was not satisfied that her cousin was gaining
strength from her sojourn at Altes, for at times she looked sadly
fragile. The slightest extra exertion utterly prostrated her, and yet so
buoyant and high-spirited was she, that Marion found it impossible
to persuade her to take more care of herself. Poor little Cissy! What
a baby she was after all! And yet a difficult baby to manage, with all
her genuine sweet temper and pretty playfulness.

Marion’s governess duties were faithfully, performed, and on the

whole with ease and satisfaction. Certainly it was not all smooth
sailing in this direction, but still the storms were rarer, and less
important, than might have been expected. Sybil caused her from
time to time anxiety, but never displeasure. Lotty, on the other hand,
was now and then extremely provoking; disobedient, inattentive and
impertinent. But Marion had succeeded in gaining the child’s
affection, and in the end these fits of haughtiness were sure to be
followed by repentance, genuine, though somewhat short-lived.

Now and then Miss Vyse favoured the schoolroom party with her
presence. These were the days the young governess dreaded. Not
that then, was anything in Florence’s manner actually to be
complained of. She refrained from the slightest appearance of
interfering, and indeed went further than this; for she paraded her
respect for the governess, in a way that to Marion was more
offensive than positive insult or contemptuous neglect. She it was
who always reproved the refractory Lotty for any sign of disrespect
or inattention.

“Oh, Lotty,” she would say, in an inexpressibly mischief-making

tone, “how can you be so forgetful of your duty to Miss Freer!
Remember, dear, what your grandmamma was saying only
yesterday. I am sure you were never so troublesome with me when I
helped you with your lessons. And that was only a sort of play-
learning you know. Now Miss Freer is here on purpose to teach you;
you know dear, you must be obedient.”

All of which, of course, further excited the demon of opposition,

and defiance of her gentle governess, in the naughty Lotty’s heart!

Florence managed too to show that she came, in a sense, as a

spy on Miss Freer. Little remarks made, as it were, in all innocence;
half questions, apologised for as soon as uttered: in these and a
hundred other ways she succeeded in making Marion conscious that
she was not fully trusted. And far worse, she instilled into Lotty, by
nature so generous and unsuspicious, a most unsalutary feeling, half
of contempt, half of distrust of the young governess; the being, who
of all that had ever come into contact with Charlotte Severn, might
have exercised the happiest influence on the child’s rich, but
undisciplined, nature. Marion did not see much of Lady Severn,
whose civilities to Mrs. Archer were generally of a kind that did not
of necessity include Miss Freer. A proposal to “sit an hour” with her
in the morning before lessons were over in the Rue des Lauriers, or
an invitation to accompany the dowager in her very stupid afternoon
drive: these, and such-like little attentions she showed her, some of
which accepted as a duty, though by no means a pleasure; to the
last day of her stay at Altes, Mrs. Archer could not succeed in
making the deaf lady hear what she said without ludicrous, and well-
nigh superhuman exertions.
 One thing in her daily life, for long struck Marion as curious. She
never, by any chance, saw Sir Ralph in his mother’s house. Had she
not been informed to the contrary, she would have imagined he was
not a member of the establishment. The children talked of him
sometimes, indeed Sybil would never have tired of chattering about
him, but Marion did not encourage it. Much chattering would
effectually interfered with lessons, and besides this, the girl-
governess had of late begun to suspect that her discretion in this
could not be carried too far; as she had a sort of instinctive fear that
all or a great part of the schoolroom conversation was extracted
from Lotty by Miss Vyse. Not that she cared about the thing itself;
though the feeling of a spy in the camp, is not a pleasant one, even
to the most candid and innocent; and in her present position, Marion
could not feel herself invulnerable. But it was very trying to her,
trying and almost sickening, to see the sweet child-trustfulness
gradually melting away out of Lotty’s nature.

She thought it better to say very little about the children to Sir
Ralph, when she met him in Mrs. Archer’s house. And, indeed, he by
no means encouraged her doing so. The mention of her morning’s
employment always appeared so to annoy him that at last it came to
be tacitly avoided, and really, for the time being, forgotten. For they
were at no loss for things to talk about, those three, in the
afternoons, generally one or two a week, that Sir Ralph spent in
Cissy’s drawing-room.

Pleasant afternoons they were! To him indeed there could be no

doubt of their being so, as otherwise he would not have thus sought
them voluntarily. He took care, however, never to come on a Friday.
Sophy Berwick’s chatter, Dora Bailey’s silliness, and Mr. Chepstow’s
ponderous platitudes, all at one time, in one little room, would really,
he declared irreverently, have been too much fox him.

“And so,” said Cissy, “just like a man, you leave us poor weak
women to endure as best we may, what you confess would be
beyond your powers.”
 “Now, Mrs. Archer,” he replied, “that’s not fair at all. ‘What’s one
man’s meat is another man’s poison.’ I can’t suppose your drawing-
room-full of friends is disagreeable to you, as, to speak plainly, you
have yourself to thank for it. If you don’t want to see all these
people, what do you ask them for?”

“I never said I didn’t want to see them,” said illogical Cissy; “I

only said you might come and help me to entertain them. Besides,”
added she mischievously, “there’s Marion. She didn’t ask them, so
she’s not to blame for the infliction, if such it be. You might come to
help her to get through the afternoon.”

“Great use I should be!” he said, lightly, and then went on more
seriously, “Besides, do you know, Mrs. Archer, I am really busy just
now.”

“Busy; what about?” she asked coolly.

“Oh, things that you would think very stupid. Hunting up

specimens of the old language and dialects once spoken about here.
I’m doing it for a friend who is taking up the subject thoroughly.”

“I should think that very interesting work,” said Marion.

“Yes, indeed,” he replied warmly; “indeed, interesting is no word

for it. It has quite reconciled me to spending the winter here. A
prospect that was dreadful enough to few months ago, I can assure
you.”

Just at that moment Charlie appeared with a whispered message

to his mother, who, thereupon, left the room, saying as she did so,
that she would return in a few minutes, and that in the meantime,
Sir Ralph might amuse himself and Marion by giving her some
specimens of the ancient language he was so interested in.

Charlie followed his mother, but stopped for a moment as he

reached the door, to announce in a stage whisper, with a confidential
nod:

“It’s only the dressmaker!” which piece of impertinence was

audibly punished by a box on the ear from his indignant mamma.

“Is your name, Miss Freer—the name Marion, I mean—spelt with

an A or an O?” asked Sir Ralph, somewhat irrelevantly, it appeared
to the young lady.

“With an O,” she replied.

“Oh, I fancied so,” he said, with satisfaction. “Mrs. Archer told me

to amuse you with specimens of the old dialects just now, but she
would be surprised if I told her that there is an old song, old though
not ancient, actually dedicated to a lady who must have borne your
name.”

“Is there, really?” exclaimed Marion. “I had no idea my name was

to be found anywhere out of England, or Great Britain, I should say,
for there are plenty of Scotch Marions. Oh, tell me about the song,
Sir Ralph; or can you show it to me? Is it pretty? And has it been set
to music?”

“It has been set to music, and I think it very pretty,” he replied. “I
could show it to you, for I have both copied it and translated it. But I
can’t show it you just now. Indeed, I am not sure that it would not
please you more if I gave it to some one else to show you.”

He looked at her closely as he spoke. But she only appeared

puzzled.

“If you gave it to some one else to show me?” she repeated. “I
don’t understand what you mean, Sir Ralph. Really I don’t.”

“Really, don’t you?” said he again; “truly and really?” He spoke, as

it were, in jest, and yet something in his voice sounded as if he were
in earnest.
 “Think again, Miss Freer. Though you may never have seen this
little song, you may easily enough fancy that, pretty and simple as it
is, there was only one person who could have ventured to address it
to the Marion of those days without fear of its being scornfully
rejected. That Marion must have been young and fair; but now-a-
days there are others as young and as fair. And there are knights,
too, gallant enough, though not exactly cast in the mould of the old-
world ones. You see, Miss Freer, I should not like my poor little song
to be scorned. I would rather keep it till the true knight passes this
way, and I am anxious to—”

He stopped, at a loss to finish his sentence. Half ashamed,

indeed, of having said so much.

Marion had listened quietly. No sign of displeasure in her face, but

an expression of slight bewilderment, and somewhat, too, of
sadness, overspread it.

“Sir Ralph,” she said, “I won’t say again I don’t know what you
are talking about; but, truly, I may say I don’t know whom you are
referring to. You wouldn’t wish to vex me, I know. If even there is
anything you wish to warn me about, I am sure you would do it
most gently and kindly. I am not very old, and I daresay not very
wise,” she added, with a smile; “but, truly, I don’t quite understand.
No knight, as you call it, is likely to pass this way on my account.”

She spoke so earnestly and simply that Ralph all but moved out of
his habitual self-control, looked up again with the sun-light look over
his face.

“Miss Freer,” he began, eagerly, and still more eager words were
on his lips; but— —the door opened, and in walked, with the air of
one thoroughly at home, and sure of a welcome, Frank Berwick!

It was not the first time Ralph’s pleasant afternoons had been
interrupted by this young gentleman. He rose, the bright look utterly
gone from his face, shook hands with Frank, and, Mrs. Archer shortly
after returning to the room, seized the first opportunity of taking
leave of the little party. As he bade good-bye to Marion he said, in a
low voice, heard by her only:

“Forgive me, Miss Freer, for what I said. I must have seemed very
impertinent, but, truly, I did not mean to be so. Remember how
many years older I am than you, and let that prevent your thinking
me unpardonably officious.”

Marion said nothing, but for one half instant raised her eyes to his
face, with a curious expression, part deprecating, part reproachful.
The sort of look one sees in the face of a child who has been
scolded for a fault which it does not feel conscious of or understand.
Then she said, or whispered—or, indeed, was it only his fancy; the
words were so faint and low?—

“How little you understand me!”

When Ralph left Mrs. Archer’s house he did not turn towards the
Rue des Lauriers, but walked briskly in the opposite direction. Like
many other men, he had a habit, when perplexed or annoyed, of
“taking it out of himself,” as he would have called it, by sharp,
physical exercise. Not till he was some way out of the town, in a
quiet country lane, did he slacken his pace, and begin steadily to
think—thus:

“What a weak fool I am, after all! Can it really be that after all
these years, I, now that I am middle-aged (for thirty-three is more
than middle-aged for men like me), have caught the strange
infection, hitherto so incomprehensible to me? What is there about
this girl, this grave-eyed Marion, that utterly changes me when in
her presence? Oh! Madness and Folly are no words for what I was
nearly doing just now, who of all men in the world am least fitted,
have indeed least right to marry! Lucky it was that that boy, Berwick,
came in when he did. Not, after all, that it would have mattered
much. She could not care, or ever learn to care, for me. But the
thing might have distressed her all the same, and increased the
discomfort of her position. How odious it is to think of her trudging
backwards and forwards every morning as a daily governess, and
that hateful Florence sneering at and insulting her in her cat-like
way!”

At this point he stopped short in his meditations, and laughed at

himself.

“Really, I am too absurd! Now to be reasonable about it, what

shall I do? So far, surely, I am not so very far gone. No necessity for
my running away from Altes. And before long, I have very little
doubt, the temptation will be beyond my reach, for of young
Berwick’s intentions I have not the shadow of a doubt. He is not a
bad fellow, by any means, and will make a fair enough husband, I
dare say. Not good enough for her, of course, but then that’s the
way in such things. Besides, going out to India with him is, suppose,
a preferable lot to being a governess at home. But I hope his people
will treat her properly. My poor little girl! But what right have I to
even think of her so? Ah! After all, if things had been different!”

Thus he thought to himself as he slowly walked homewards.

Turning the thing round and round in his mind, and looking at it
from all sides. Finally deciding that all he could do was gradually to
dismiss this wild dream from his mind (not realizing in his
inexperience, that in such matters it is hearts, not minds, we have to
deal with), and so far as possible forget that it had ever visited him.

As no one but himself was involved, no one’s happiness or

suffering in question but his own, he decided he need not absent
himself from Altes for a little, as had been his first impulse, on
making this extraordinary discovery. Not, at least at present. But he
would be careful. He would not lay up for himself unnecessary
perplexity or suffering; for after all, his belief in his own self-control
had received a great shock. So he resolved, and acted upon his
resolution by not calling at Mrs. Archer’s till the next week; when,
trusting to the safety, which we are told, lies in numbers, he
purposely chose a Friday for his visit.

It was disagreeable, as he had anticipated, and indeed almost

hoped it would be.

The day being chilly, none of Mrs. Archer’s friends ventured out
on the terrace, and the small drawing-room was therefore rather
crowded. There was the usual set; the Bailey girls, Mr. Chepstow,
and Monsieur De l’Orme, the Frasers and Sophy Berwick,
accompanied, of course, by her brother. Erbenfeld was there too,
amusing himself by trying to get up a flirtation with Mrs. Archer; by
no means an easy undertaking, as he found to his cost; for Cissy’s
self-possession, quick wit and unaffected, utter indifference to his
graceful compliments and sentimental allusions, baffled him far more
effectively than any affectation of matronly dignity, or the most
freezing airs of propriety. It was really rather amusing to watch, for
Erbenfeld was clever enough in his shallow way, and evidently quite
unaccustomed to have his flattering attentions thus smilingly
rejected. Ralph had not been there two minutes before he began to
wish himself away; but he had resolved to say half-an-hour or so, to
avoid the appearance of any marked change; and so he sat on
patiently, thinking to himself it was no bad discipline for his powers
of self-control to sit there trying to talk nonsense to Sophy Berwick,
all the time that he was intensely conscious or Marion’s near
presence at the piano, where she was eagerly examining sonic new
music which Frank had just brought her, the giver, of course,
standing close by, replying to her remarks with a bright smile on his
handsome face.

Suddenly some one proposed that they should have, a little

music. The glee party collected round the piano, and went through
their little performances successfully enough. This over, there was an
exhibition of instrumental music from one or two of the young
ladies. In the moving about the room that ensued, Ralph found
himself, for the first time that afternoon, near Marion. In his nervous
hurry to say something, he, of course, said about the stupidest thing
he could have chosen:

“Do you sing, Miss Freer?”

She looked up at, him with surprise, but when she saw the
perfect good faith in which he had asked the question, she began to
laugh in spite of herself.

“Yes,” said she, “I think I have told you before that I sing a little,
and if you had been listening you would have heard me singing just
now.”

“Were you singing?” he said, “truly I did not know. Certainly I

would have listened had I known it was you. I was thinking the
other day how odd it was I had never heard you sing.”

“I was not singing alone, just now,” she said, more seriously, “I
only took a part in those glees.”

“Ah!” he replied, “then it was not bad of me after all. But I should
very much like to hear you sing alone. When Miss Bailey finishes this
affair she is playing, will you sing, Miss Freer?”

“Oh, yes, if you like,” she answered lightly. But in a moment a

thought struck her, and she added mischievously, “what would you
like me to sing, Sir Ralph? Is there any song you think would suit
me?”

“Several,” he replied, in the same tone. But as at this moment

Miss Bailey’s twirlings and twitchings suddenly ceased, and as
Marion rose, he said in a lower voice: “one in particular, but I can’t
give it you.”

She seemed as if she hardly heard him, and at a sign from Cissy,
took Dora’s place at the piano.
 Her voice was certainly not a very powerful one, but neither could
it be called weak. It was true and sweet, but its chief beauty was its
exceeding freshness. Clear and bright, and yet with an under-tone of
almost wild plaintiveness. The sort of voice one would be inclined to
describe as more like a young boy’s than a woman’s. It made one
think of a bunch of spring field flowers, freshly gathered and
sparkling with dew. So, at least, Ralph fancied as he listened, and
went on in his own mind to compare Florence Vyse’s rich contralto to
a perfectly arranged group of brilliantly coloured and heavily scented
exotics. The simile was not however a perfect one, for it did not
sufficiently express the tenderness and cultivated refinement of
Marion’s singing.

What her song was, Ralph did not know nor care. It was German,
so much he discovered, and some words reached him, which
sounded like these:

“So ist verronnen

Meine Jugendzeit.”

A sort of sorrowful refrain they seemed to him, and they set his
thoughts off again in the direction of wishing they were less true as
applied to himself. But he pulled himself up short, thanked Miss
Freer quietly, said good bye to Mrs. Archer and her guests, and was
just about to take his departure when the door opened, and “Lady
Severn and Miss Vyse” were announced by Mrs. Fraser’s man-
servant, whose mistress very goodnaturedly lent him to Mrs. Archer
on Fridays.

It was rather annoying. Ralph so seldom called on any lady, that

his presence here could not but surprise his mother. However, it was
much better than if the worthy lady had taken it into her head to call
on Mrs. Archer on one of the several afternoons he had spent in the
company only of Cissy and her guest. He made the best of the
situation, gratified Florence by asking if they had a seat to spare in
the carriage, in which case he would wait and return home with
them, and altogether made himself so sociable and agreeable, that
Lady Severn began to think, with pleased astonishment, that after all
her unsatisfactory Ralph had inherited something of the “Severn”
affability. So all seemed smooth and smiling; but for all that Florence
had her eyes open that afternoon; and bitter thoughts were in her
heart as they bowled home to the Rue des Lauriers, though the
words on her lips were honeyed and soft.

A few days after this, the second of the Altes balls took place.
Mrs. Archer and her cousin had not gone to the first, as on the day it
was held the former had not been well enough to risk the fatigue.
But having been, or fancied herself, stronger of late, she was bent
on attending the forthcoming one. Marion had no objection to
accompanying her, save her former fear of appearing inconsistent.
But this time Cissy was not to be moved. Marion was to go to the
ball, attired in the prettiest of dresses, and for this one evening to
enjoy herself thoroughly, and forget all about that “odious
governessing.”

So the girl yielded, not unwillingly, I dare say. They arranged to

go with the Berwicks, Frank and Sophy warmly applauding Mrs.
Archer’s determination that Miss Freer should make one of the party.

“Of course you should come,” said Sophy. “I should think it bad
enough to have to be shut up all the morning with those brats,
without thinking it necessary on that account to forego a pleasant
way or spending an evening.”

“Oh, well,” replied Marion, “for once in a way I daresay there can
be no objection to it.”

“Once in a way,” repeated Sophy; “it is absurd to hear you, a girl

ever so much younger than I, talking like that. You don’t mean to
remain a governess all your life, do you, Miss Freer?”

Marion felt and looked rather annoyed at this not very delicately-
expressed inquiry; but, before she had time to reply, Cissy, who was
present at the time, came to the rescue.
 “Of course not, Miss Berwick,” she exclaimed, rather indignantly,
but, on catching a beseeching look from Marion, she changed her
tone, and added, half laughingly, “Don’t you know, Miss Berwick,
that Marion is going out with me next spring, to marry a nabob
whom she has never seen? A real nabob, I assure you, as rich as—
as I should like to be, and that’s saying a good deal, I assure you. By
this time next year, imagine Miss Freer converted into Mrs. Nabob,
with more fine dresses and diamonds than she knows what to do
with. What a charming prospect! I hope you will remember, May, to
give me some of your cast-off grandeur.”

“How can you be so silly, Cissy!” said Marion, half laughing and
half annoyed.

Sophy looked curious and mystified. She could not make out how
much was fun and how much earliest of Mrs. Archer’s
announcement. Miss Freer’s “How silly,” very probably, only applied
to her friend’s exaggerated way of telling it. It was quite possible,
Sophy decided, that the young lady was in fact engaged to some
rich Indian, and was only a daily governess for a short time, perhaps
to make some money towards providing a trousseau, being of a
more independent spirit than some brides elect in similar
circumstances.

It seemed rather a plausible way of accounting, for the mystery,

which even Sophy, whose perceptions were not of the acutest, felt
there existed about this girl. She would have uncommonly liked to
hear reason, but, was not bold enough to make further inquiries.
Besides which, Marion evidently wished the subject to be dropped,
and Sophy would have been really sorry to annoy her. So no more
was said; but, as Sophy was leaving, Marion accompanied her to the
door, and said to her, earnestly, but in a low voice:

“Miss Berwick, will you be so good as not to think anything of

what Mrs. Archer said today? I mean, will you please not to talk
about it. You don’t know how exceedingly it would annoy me if any