Examination DD2392 Protocols and Principles of the Internet EP2120 Internetworking Date: 02 June 2009 at 14:00 19:00 a) No help material is allowed - You are not allowed to use dictionaries, books, or calculators! b) You may answer questions in English or in Swedish. c) Please answer each question on a separate page. d) Please write concise answers! e) Put a mark in the table on the cover page for each question you have addressed. f) The grading of the exam will be completed no later than 24 June 2009. g) After grading, the exams will be available for inspection at STEX (Q-building, for EP2120) and at the CSC student expedition (for DD2392). h) Deadline for written complaints is 28 August 2009 i) Course responsible DD2392 is Olof Hagsand, phone 08-790 6534 j) Course responsible EP2120 is György Dán, phone 08-790 4253 Important note! Your grade is F in any of these two cases: - You do not obtain at least 15 (fifteen) points out of 20 for problems 1-4 - You do not obtain at least 30 (thirty) points in total. We advise you to start with problems 1-4.
Part one (Problems 1-4) 1. IP addressing and IP header (5p) You would like to connect to a public WiFi hotspot, but for some reason DHCP does not seem to work, so you can not obtain IP address, netmask, etc. You start WireShark to capture the traffic on the WLAN. The lowest IP address you observe in any packet is 213.204.37.2 and the highest IP address is 213.204.38.5. Based on this information you try to manually configure an IP address, default gateway, and netmask for the wireless network interface. a) What is the longest prefix length that you should consider? What is the corresponding netmask? (1p) The prefix length should be /22 or shorter, the corresponding netmask is 255.255.252.0. b) Give the network address of the subnet in CIDR notation! What could be a reasonable guess for the default gateway? (1p) The network address is 213.204.36.0/22. The default gateway could be 213.204.36.1, but you cannot be sure of this. c) What is the directed broadcast address of the subnet? (1p) 213.204.39.255 d) Assume that you have configured the netmask and the default gateway, and by pure luck you configured your computer to use an IP address that is not in use by any other computer. You start your favorite browser, and try to access http://www.google.com. Will your browser be able to download the requested page? Almost certainly not. You do not have a name server configured. e) In IPv4 there is a header checksum field in the base header. Why was this field not included in the IPv6 based header? (1p) Since the checksum covers the TTL field in IPv4, the checksum has to be recalculated at every router. Apart from this, layer 2 protocols provide frame level error checking and correction, so the layer 3 error checking is to some extent redundant. 2. Delivery and address resolution (5p) a) How does a host determine whether a destination (given with its IP address) is located on the local subnet? (1p) The host performs a bitwise AND of its IP address and its netmask, then a bitwise and of the destination IP address and its netmask. If the two results are equal, then the destination host is on the local subnet. b) Consider that a router attempts to forward a datagram to the next hop based on the destination address 173.46.98.156, but can not find a matching entry. What does the router do? Would it make a difference if the destination address of the packet was 225.18.93.26? (1p) The router will send an ICMP destination network unreachable message to the sender. The second datagram is destined to a multicast address, so no ICMP message will be sent. The datagram will be discarded in both cases. Consider the following IPv4 network consisting of 2 bridges and 1 router. Hosts H 1 to H 6 have one interface each. B 1 and B 2 are learning bridges. R 1 is a router with an appropriate routing table. Host H 3, bridges B 1 and B 2 and the North interface of R 1 are in the same Ethernet collision domain. All ARP caches and the bridges learning tables are empty. Assume that ARP snooping is used. Logical (IP) addresses are represented by capital letters, physical (MAC) addresses are represented by small letters. Please refer to these letters in your solutions.
H A B 1 a B 1 b H 2 H 3 C c H h B 2 D d H E G I F 5 H e g R 6 1 i f c) A process on Host H 5 sends 100 bytes via UDP to a process on host H 1. Show the contents of the learning tables and the ARP caches after the packet has been delivered. Assume that the process on Host H 5 knows the IP address of Host H 1. (1p) H5: g-g H1,H2,H4:h-H H3:h-H R1: e-e, a-a B2: h-west, a- West B1:h-South, a-west d) A process on Host H 1 sends 100 bytes via UDP to a process on host H 3. Assume that the process on Host H 1 knows the IP address of Host H 3. Show the new contents of the ARP caches and the learning tables. (1p) H1: c-c H3: a-a B2:c-West B1:c-South H2,H4: a-a e) A process on Host H 1 sends 100 bytes via UDP to a process on host H 6. Assume that the process on Host H 1 knows the IP address of Host H 6. Show the new contents of the ARP caches and the learning tables. (1p) R1:f-F H6:i-I 3. IP forwarding (5p) a) Which fields of the IPv6 base header have to be updated by a router upon forwarding a datagram? (1p) The Hop Limit field. H 4
A router has the IPv4 forwarding table shown below. Determine the next-hop address and the outgoing interface for the packets arriving to the router with destination addresses as given in points (b)-(e). Destination Next hop Flags Interface 180.12.32.0/19 - U m0 152.63.16.0/21 - U m1 10.151.192.0/23 - U m2 192.168.16.0/24 - U m3 10.151.192.128/28 192.168.16.31 UG m3 152.63.32.0/22 152.63.19.43 UG m1 192.168.17.0/25 180.12.38.3 UG m0 0.0.0.0/0 180.12.36.141 UG m0 b) 192.168.17.231 (1p) 180.12.36.141 on m0 (default route) c) 10.151.192.142 (1p) 192.168.16.31 on m3 d) 152.63.35.93 (1p) 152.63.19.43 on m1 e) 192.168.16.143 (1p) 192.168.16.143 on m3 (direct delivery) 4. TCP (5p) a) What is the purpose of flow control in TCP? (1p) The purpose of TCP flow control is to make sure that the sender does not overwhelm the receiver with data... b) What is the silly window syndrome? How can it occur? What mechanisms does TCP have to combat the silly window syndrome? (2p) In general: small amounts of data (tinygrams) are sent. There are two kinds: receiver driven and sender driven. Receiver driven: slow receiver application, and hence receiver TCP announces very small rcwnd sizes. Solution: Clarke s solution (do not announce less than rcwnd/2) Sender driven: sender application generates data in small chunks, and hence sender TCP sends small amounts of data in the segments. Solution: Nagle s algorithm (there cannot be more than one outstanding tinygram in the network) c) Explain the role of the TIME_WAIT timer in TCP connection teardown. (1p) Consider two TCP sockets A and B. During connection termination A sends a FIN segment to B, which is acknowledged by B. The acknowledgement can however get lost, in which case A will resend the FIN segment after the RTO. The retransmitted FIN segment should be acknowledged by B again. Hence, after acknowledging the FIN segment, B has to keep on listening (is in a TIME_WAIT state). In case the FIN segment is resent by A, it has to acknowledge the segment again. B will stay in TIME_WAIT state until the TIME_WAIT timer exceeds, then it closes the socket. The TIME_WAIT timer expires after some OS dependent amount of time, typically in the order of minutes. d) The original TCP congestion control decreases the congestion window size to 1 MSS whenever a retransmission timeout occurred and it enters slow start. How did this change with the introduction of fast recovery? When is fast recovery applicable and how does it relate to fast retransmit? (1p) With fast recovery congestion control does not enter slow start if the sender receives 3 duplicates ACKs, but it retransmits the missing segments (it assumes that the missing segment was not lost due to congestion because three subsequent packets arrived) and then sets the
congestion window to half the original congestion window size + the number of duplicate ACKs x MSS this is the inflation. The CWND is deinflated once the missing segment is ACKed.This should happen before the RTO elapses: if the timeout occurs then congestion control enters slow start (fast recovery is not used). Fast retransmit is the act of retransmitting the missing segment after three duplicate ACKs, so the two are tightly coupled. Part two (Problems 5-12) 5. UDP and fragmentation (5p) a) What is the purpose of the IPv6 fragmentation extension header? What fields does it contain and what for? Is there an IPv4 option header that serves the same purpose? (1p) The base IPv6 does not contain fields for fragmentation. If the sender would like to fragment a datagram it inserts the FEH. The FEH will carry the fragment offset, the MF bit and the fragment identification. There is no option header in IPv4 for this purpose, because in IPv4 fragmentation information is carried in the base header (fragmentation offset, DF, MF) b) Why do routers not perform reassembly in IPv4? Give two reasons! (1p) (i) The fragments of a datagram do not have to traverse the same path, hence a router might not receive all fragments.(ii) the datagram might need to be fragmented again upon arriving to another link with a small MTU. (iii) reassembly is resource intensive (memory + timers), it would load the routers. c) An application wants to transmit 2940 bytes of data via UDP from host A to host B. Path MTU recovery reports a path MTU of 1700 bytes. The UDP header is 8 bytes long. The MTU of the first link is 2500 bytes, the MTU of the second link is 1700 bytes, the MTU of the third link is 3000 bytes. The network layer protocol is IPv6. How many IP fragments will be sent by host A? Give the segment sizes, the fragmentation offset and the more fragments (MF) bit of all fragments. (The IPv6 fragmentation extension header is 8 bytes long.) (2p) Total amount of data to be sent is 2940+8=2948 bytes. 40 bytes IPv6 base header, 8 bytes FEH = 48 bytes of IP header in every packet. The maximum amount of payload is 1652 bytes, not divisible by 8 bytes. Host A sends two segments: (payload size, MF, offset in bytes) 1, 1648, 1, 0 2, 1300, 0, 1648 c) Name one transport layer protocol besides UDP and TCP, and briefly describe how it differs from UDP and TCP in terms of the services it provides. (1p).DCCP: provides congestion control but no flow control and reliability.. SCTP: packet based, provides congestion control and reliability, allows multiple streams to exist in the same connection, and supports multiple end-points on the same host (for multihomed hosts). 6. Application layer (5p) a) Describe the difference between the purpose of data encoding and the definition of data structures. Name one method of data encoding and one way of (standardized or de facto standard) data structure definition. (1p) Data encoding specifies the way data is represented for storage or transmission. One example is TLV encoding. The definition of a data structure describes the types of the data and the high level structuring. One example is ABNF.
b) FTP can operate in passive or in active mode to transfer a file. What are these two modes, and in which case is one preferred over the other? (1p) Active mode is when it is the server that establishes the data connection (i.e., the server issues an active open). Passive mode is when it is the client that establishes the data connection (i.e., the server issues a passive open).passive mode is preferred if the client is behind a NAT box or a firewall. c) What is the purpose of a mail transfer agent (MTA)? What entities (related to mail delivery) does an MTA communicate with? What application layer protocols does an MTA typically implement? What do these protocols serve for? (1p) An MTA should support SMTP to receive mail from a UA, and to communicate with other MTAs. It should also support a mail access protocol (MAP) such as IMAP or POPv4 so that the UA can access the mail. d) What is the purpose of the real-time streaming protocol (RTSP)? Name one command used by RTSP. (1p) RTSP is used to control the transmission of streaming data. It enables interactivity, as it allows for starting, pausing, seeking, and resuming the streaming of the data from a server. The most important messages are SETUP, PLAY, PAUSE, TEARDOWN. e) What is delay jitter? How does delay jitter affect the performance of TCP? (1p) Delay jitter is the variation of the one way transmission delay between two hosts. The one way delay influences the arrival process of the acknowledgements from the receiver to the sender. If the delay jitter is high, the RTO will be increased (because of the increase of RTTvar). In case of a packet loss, it will take more time for a retransmission to happen. If jitter happens in spikes then jitter can lead to unnecessary retransmissions (i.e., RTO is too small,expires even though an acknowledgement is already on the way.) 7. DNS (5p) The following is an example of a zone file for bind used in the lab course: $ORIGIN example.com $TTL 86400 @ IN SOA dns1.example.com. hostmaster.example.com. ( 2001062501 21600 3600 604800 86400 ) IN NS dns.example.com. IN MX 20 mail1.example.com. IN A 1.0.1.5 server IN A 1.0.1.5 dns IN A 1.0.1.2 ftp IN CNAME server mail IN CNAME server mail2 IN CNAME server www IN CNAME server Answer the following questions: a) Explain all resource record types appearing in the zone file. (2p) SOA - Start of Authority: Describes a zone
NS - Name of nameserver for name/ zone MX - name of mail-server for name /zone A - Gives IPv4 address of name. CNAME - Provides an alias to a (canonical) name. Above, server is canonical name with many aliases. b) Propose an extra record enabling IPv6 access of example.com's web service. (1p) http IN AAAA 2001::1, for example. c) What is the difference between a DNS zone and a DNS domain? Use example.com as an example. (1p) DNS uses a hierarchical name space, where all names are organized in a tree structure. A domain is a sub-tree in the domain space, i.e., all nodes under a given point in the domain structure. A zone is a unit of delegation in the name space, a contiguous part of the tree. If no further delegations are made, a zone and a domain is the same thing. But if further delegations within a domain has been made, the zone is the domain minus the sub-zone within it. A zone can therefore be seen as a sub-tree with pruned branches. d) What is the difference between an authoritative ( advertizing ) nameserver and a resolving nameserver? (1p) A resolving nameserver performs recursive lookups on behalf of clients. It caches results that can be re-used by other client lookups. An authoritative nameserver s authoritative for a zone and answers on iterative requests from resolving nameservers. 8. Routing 1 (10p) A newstarted operator in the Internet business has 40 small customers and 5 large customers. It buys transit access with two upstream providers. It runs a link-state routing protocol as IGP (Interior Gateway Protocol) and BGP (Border Gateway Protocol) toward its upstream providers. The operator has obtained the prefix block 12.6.192.0/19 from a local internet registry. It uses a separate block 12.6.223.0/24 for its own core addressing. a) The 40 small customers require 50 addresses each, and the 5 large customers require 200 addresses each. Propose an address assignment that is both minimal (not larger address block than necessary) and has potential for future growth. (Every block should be possible to expand without renumbering: it should be possible to assign to any customer a single new block that contains twice as many addresses as the original block. The old block should be a subset of the new block.) (3p) The address block is: 12.6.192.0-12.6.223.255. For the small customers a /26 is minimal since it has 64 addresses. Every small customer can have one such block each, and a /26 block is left as a hole between each to be extendible: 12.6.192.0/26, 12.6.192.128/26, 2.6.193.0/26, 12.6.193.128/26,..., 12.6.211.0/26, 12.6.211.128/26. Every large customer will get a /24 since it corresponds to 256 addresses. Leaving a block for extensibility gives: 12.6.212.0/24, 12.6.214.0/24, 12.6.216.0/24, 12.6.218.0/24, and 12.6.220.0/24. b) The operator aggregates its prefixes and announces the single aggregated route 12.6.192.0/19 to its both transit providers. What benefits does route aggregation have? (1p) Fewer routes leads to smaller routing and forwarding tables which leads to less control traffic, faster table lookups and faster convergence. And sometimes faster forwarding (if in sw)..
c) The announcement of the aggregated route causes black-holing of some prefixes (prefixes not allocated). In your example from exercise (a), which prefixes are black-holed, and what happens to traffic sent from a remote source to such a destination? (1p) In this example, the prefixes 12.6.192.64/26, 12.6.192.192/26,..., 12.6.211.64/26, 12.6.211.192/26., 12.6.213.0/24, 12.6.215.0/24, 12.6.217.0/24, 12.6.219.0/24, 12.6.221.0/24, 12.6.222.0/24 are black-holed. Traffic to these destinations are dropped (ICMP unreachables can be sent). d) The operator uses equal-cost multipath in its network. What is equal cost multipath? Does OSPF, for example, support it? (1p) Equal-cost multipath is when more than one route is computed to a destination with equal metrics. Yes, OSPF supports equal-cost multipath, so do most routing protocols. e) The operator connects to an Internet exchange point to peer with similar operators? How does this differ from a transit or customer relation and why is this common among operators? (1p) Peering is usually done without charges (except for equipment) and the two peers exchange customer traffic only. That is, no transit traffic passes through the peering. f) May asymmetric routing appear in the operator network shown? Why/why not? (1p) Yes. Asymmetric routing can appear in many places. For example, since the operator is multihomed (it uses two backbone providers) a packet sent to a destination via one transit operator may in its return path (the answer to the original packet) choose the other operator. And thus the path to a destination differs from the path from the destination. Asymmetric routing may also appear internally in the operator, or between the operator and one of its customers/peering partners/transit operators if they have nore than one peering point. g) The operator decides to load balance its incoming traffic from its two transit providers for economic reasons. More specifically, it wants to receive more traffic from one than the other. Propose a method with which the provider can do this. Point out any potential disadvantage with your method.(2p) Most common method is to announce different prefixes to the different transit operators. But the drawback is that the aggregation is destroyed. 9. VPNs, security, NAT(5p) a) What is the difference between a private network and a virtual private network (VPN)? Name one significant reason (from a technological perspective) why it is more difficult to construct a VPN than a private network. A VPN uses a common network infrastructure (such as the Internet or a provider network) which it shares with other networks. A Private network on the other hand is completely isolated. Technological challenges include addressing (separating private addressing), security (eg privacy). b) Name two examples of address spoofing in two different protocols and its potential effects? (1p) Rewriting of protocol header fields, typically (source) addresses. Examples: arp spoofing - causes redirection of IP traffic, DNS spoofing may cause cache poisoning. Many other examples available. c) Give two examples of how denial of service attacks may be caused using two different (IPbased) protocols? (1p) Many examples. Including TCP syn flood.
d) Explain why NAT (Network Address Translation) causes many IP based services and applications to stop working? (2p) Difficult to communicate between two computers behind different NATs. Also difficult to access computers behind a NAT. Port forwarding can be used by manual configuration, but port forwarding can only be done to one computer (per port). Also NAT rewrites header fields but may not change inner headers or payload fields making third-party references invalid. 10. Multicast (5p) Please answer the following questions: a) How are IPv4 multicast packets mapped to Ethernet multicast frames?(1p) IPv4 packets are mapped to Ethernet frames by prepending the first 25 bits of the well-known 01:00:5E:00:00:00 MAC IP multicast address prefix with the 23 least significant bits of the IPv4 multicast address. b) What is the limitation of this mapping and what consequences does this limitation have (on end-hosts)? (1p) IPv4 multicast addresses are class D addresses with 28 significant bits. But since only 23 bits are used in the Ethernet frame, the mapping is not one-to-one, so that all IPv4 multicast addresses differing in their five most significant bits maps into a single Ethernet address. This means that if a host joins a single multicast group, traffic to other groups mapping to the same Ethernet address may be delivered to the host IP stack. The host must therefore filter this itself in upper layers (IP layers) most often in software. c) What is RPF (Reverse Path Forwarding) and why is it often used in multicast forwarding?(1p) RPF makes a regular unicast lookup but uses the source address instead of the destination. Multicast forwarding uses RPF in its flooding algorithm: only packets received on the interface matching the RPF lookup are forwarded. d) What are the differences between a group shared tree and source based tree in multicast protocols such as PIM-SM (Protocol-Independent Multicast - Sparse Mode)? Compare advantages and disadvantages.(1p) A group-shared tree is a single tree (in a domain) built for delivery of multicast traffic from a single point in the network to the set of receivers of a group. A source-based tree is a separate tree for every sender (and group). Source-based trees are more efficient in terms of forwarding metric, while group-shared tree are more efficient in terms of forwarding state. A drawback with group-shared trees are that senders need amechanism to send their traffic to the tree. A drawback with source-based trees is usually that senders and receivers need a way to synchronize. e) What is a rendezvous point (RP) in PIM-SM? What is its role from a protocol perspective? (1p) It is a central point in the network for all or a set of multicast groups from where the groupshared trees are built. Its role is to act as a synchronization point where receivers and senders meet : Senders (or actually the DR of the sender) register with the RP, while receivers (their DR) sends a JOIN towards the RP. As soon as multicast packets from a new sender reaches the DR of a receiver, they are synchronized and a source-based tree may be built. 11. Mobile IP(5p) IP mobility is a proposed solution where a mobile node can visit other (foreign) networks and continue communicating with remote applications. Explain how mobile IP works, its architecture, protocol phases when a mobile node moves, and performance issues.
In mobile IP, the home agent is the router (or server) hosting the home address of the mobile node. When the mobile changes location, it registers its secondary addresses with the home agent, so that the home agent can forward datagrams using tunneling and the secondary address. Discovery: A mobile node uses a discovery procedure to identify home agents and foreign agents. Mobile discovery extends ICMP router advertisements and solicitations. Registration: A mobile node uses an authenticated registration procedure to inform its home agent of its care-of address. Registration uses a special application-level header and transports the registration information over UDP. The foreign agent may relay the registration to the home agent. Tunneling: Used by the home agent to forward IP-datagrams to a care-of address. Tunneling can use IP-in-IP tunnelling, GRE tunnelling or IPSec tunnelling. Two common performance inefficiencies in mobile IP are triangular delivery and dual crossing. In triangular delivery, packet delivery is done between three points: from the remote host (R) to the home agent (H) to the mobile node (M) and back to the remote host (R). Dual crossing is an extreme case of riangular delivery when M and R are close (network-wise) but H is far away: Packets will then travel twice over the same network path to the remote place H.