Examination DD2392 Protocols and Principles of the Internet EP2120 Internetworking Date: 10 March 2009 at 8:00 13:00 a) No help material is allowed - You are not allowed to use dictionaries, books, or calculators! b) You may answer questions in English or in Swedish. c) Please answer each question on a separate page. d) Please write concise answers! e) Put a mark in the table on the cover page for each question you have addressed. f) The grading of the exam will be completed no later than 1 April 2009. g) After grading, the exams will be available for inspection at STEX (Q-building). h) Deadline for written complaints is 30 April 2009 i) Course responsible DD2392 is Olof Hagsand, phone 08-790 6534 j) Course responsible EP2120 is György Dán, phone 08-790 4253 Important note! Please start with problems 1-4; because your grade is F if you do not reach at least 15 (fifteen) points out of 20 for problems 1-4!
Part one (Problems 1-4) 1. IP addressing and IP header (5p) a) You want to install a wireless router at home. The router obtains the public IP address 195.54.105.100 on its wired interface from your ISP (towards the Internet), and can be configured to use private IP addresses from the block 172.197.18.0/23 on its wireless interface. You plan to use at most 15 computers simultaneously at home, and would like to use the smallest possible subnet on the wireless interface. What is the longest possible netmask for the subnet? (1p) You will need 18 addresses (15 for hosts, 1 net, 1 broadcast, 1 router), so you will need a /27 network. The netmask is 255.255.255.224. b) Give the network address of your subnet in CIDR notation! Propose an IP address for the wireless interface of the wireless router! (1p) The network address is 172.197.18.0/27. The router could use 172.197.18.1. c) What is the directed broadcast address of the subnet? (1p) 172.197.18.31 d) Why is there a limitation on the maximum size of the IPv4 options? What is the maximum size of the IPv4 options? Name one IPv4 option that is affected by the size limitation (affected in the sense that its usefulness is limited because of size limitation). (1p) Because the header length field is 4 bits long, has granularity 4 bytes. The max size of the header is 60 bytes, out of which 20 bytes is the base header. Examples: strict source route, loose source route, timestamp, record route. e) What is the maximum size of an IPv6 datagram? Why? (1p) With the jumbo payload extension header it is 2^32-1. 2. Delivery and address resolution (5p) a) When is direct delivery used to deliver a datagram in an IP network? (1p) If the destination host is on the same link as the host that tries to send the datagram. b) Which protocol is used to perform address resolution in IPv6? (1p) ICMPv6 neighbour solicitation and advertisement. Consider the following IPv4 network consisting of 2 bridges and 1 router. Hosts H 1 to H 6 have one interface each. B 1 and B 2 are learning bridges. R 1 is a router with an appropriate routing table. All ARP caches and the bridges learning tables are empty. Assume that ARP snooping is used. H 1 B 1 H 2 H 3 H 4 R 1 H 5 B 2 H 6
c) Add the necessary physical (MAC) and logical (IP) addresses, and identify the subnets! Use small letters to denote the MAC addresses and capital letters to denote the IP addresses (e.g., a-a). (1p) The bridges do not need an IP address or a MAC address. The router has addresses g-g,h- H,i-I,j-J starting from the interface to H3 clockwise. d) A process on Host H 5 sends 100 bytes via UDP to a process on host H 6. Show the contents of the learning tables and the ARP caches after the packet has been delivered. Assume that the process on Host H 5 knows the IP address of Host H 6. (1p) H5: f-f H6: e-e R1: e-e B2: e:west, f: East e) A process on Host H 6 sends 100 bytes via UDP to a process on host H 1. Assume that the process on Host H 6 knows the IP address of Host H 1. Show the new contents of the ARP caches and the learning tables. (1p) R1: f-f H6: j-j B2:j-North B1:h-South, a-west R1: a-a H1: h-h H2: h-h 3. IP forwarding (5p) a) Which fields of the IPv4 base header have to be updated by a router upon forwarding a datagram (assume that fragmentation is not needed)? (1p) The TTL field and the header checksum. A router has the IPv4 forwarding table shown below. Determine the next-hop address and the outgoing interface for the packets arriving to the router with destination addresses as given in points (b)-(e). Destination Next hop Flags Interface 133.15.16.0/24 - U m0 142.13.0.0/16 - U m1 82.93.192.0/18 - U m2 171.171.80.0/20 133.15.16.2 UG m0 160.43.12.0/23 82.93.193.161 UG m2 82.93.224.0/20 133.15.16.131 UG m0 160.43.14.0/23 142.13.0.52 UG m1 0.0.0.0/0 142.13.42.9 UG m1 b) 171.171.97.134 (1p) 142.13.42.9 on m1 (default route) c) 82.93.225.78 (1p) 133.15.16.131 on m0 d) 160.43.16.78 (1p) 142.13.42.9 on m1 (default route) e) 82.93.240.189 (1p) 82.93.240.189 on m2 (direct delivery)
4. TCP (5p) a) Describe the purpose of TCP congestion control. (1p) The purpose of TCP congestion control is to avoid overloading the network and to ensure fair usage of the network resources. b) Describe how the congestion avoidance phase of TCP congestion control works. (1p) Congestion avoidance starts when CWND surpasses SSTRESH. It consists of additive increase and multiplicative decrease. If there are no losses, the congestion window CWND is increased by 1MSS every time data worth a full congestion window is transmitted. (i.e., approx every RTT time). If a loss event is detected (Retransmission timeout), then the SSTRESH is set to half of the current congestion window CWND and congestion control enters the slow start phase, i.e., congestion window CWND=1 MSS. c) Describe how the retransmission timeout (RTO) is calculated in TCP (describe both the case without losses and with losses). (2p) RTO=sRTT+4RTTdev. The smoothed RTT (srtt) estimate is calculated based on the measured RTT values according to an exponentially weighted moving average. Similarly, the deviation of the RTT (RTTdev) is measured and updated using an exponentially weighted moving average. If a loss is detected (timeout), the RTO is doubled. The srtt is not updated when the acknowledgement received concerns a retransmitted segment (Karn s algorithm.) d) You would like to use TCP to transmit data over a transmission link of 1Mbps capacity. The end-to-end one way delay is 100ms. What is the minimum size of the receiver window that TCP should use if the link should be fully utilized? How can the receiver window be as big as needed? (1p) The bandwidth delay product of the link is 1.000.000bps*0.2s = 200.000/8bytes = 25000B. This is less than 65535, so there is no need for window scaling. Part two (Problems 5-12) 5. UDP and fragmentation (5p) a) What are the two major differences between how fragmentation is implemented in IPv4 and in IPv6? (hint: where is fragmentation done and where is the necessary information transmitted) (1p) In IPv6 fragmentation can only be done in the end hosts (not in the routers). In IPv6 the fragmentation related information is carried in an extension header (not in the base header). An application wants to transmit 2940 bytes of data via UDP from host A to host B. The UDP header is 8 bytes long. The path consists of two networks: the MTU of the first network is 1500 bytes, and the MTU of the second network is 1400 bytes. b) The network layer protocol is IPv4, and there are no IP options used. How many IP fragments arrive at host B? Give the segment sizes, the fragmentation offset and the more fragments (MF) bit of all fragments. (3p) Total amount of data to be sent is 2940+8=2948 bytes. The host sends two segments: 1, 1480, 1, 0 2, 1468, 0, 1480 The router has to fragment both fragments 1, 1376, 1, 0 2, 104, 1, 1376 3, 1376, 1, 1480
4, 92, 0, 2856 c) The last fragment of the datagram is lost on the first link. How many bytes will be delivered to the receiving application and how much time after the reception of the penultimate fragment? (1p) The datagram will be discarded after the fragmentation reassembly timeout expires at the receiving host. No data will be delivered to the receiving application. 6. Application layer (5p) a) What does network byte order mean? Why is there a need for it? (1p) Network byte order is the standard byte order used in the TCP/IP protocol stack. It is the Big endian order. There is a need for a standard such that network applications can exchange multi-byte words (they should know how to interpret the numbers.) b) Name two ways in which Multipurpose Internet Mail Exchange (MIME) extends SMTP. (1p) Textual message bodies in other character sets, multi-part message bodies, header information in other character sets, non-textual message bodies. c) What are the two major advantages (new features) of HTTP 1.1 compared to HTTP 1.0? (1p) Persistent connections and compression. d) What is the Session Initiation Protocol (SIP)? How does it relate to H.323? Name one SIP protocol message. (1p) SIP is a signalling protocol originally developed for real-time communications for session management. It provides more or less the same functionality as H.323. Example: INVITE e) What is delay jitter? How does the Real-time Transport Protocol (RTP) help to combat delay jitter? (1p) Delay jitter is the variation of the one way transmission delay between two hosts. RTP includes a timestamp. Using this time stamp the receiver can know when to play back the data contained in the individual packets from the playout buffer. 7. DNS 1 (5p) Answer the following questions about DNS (Domain Name System). Please be concise. a) What is a stub resolver? A client library making recursive lookups to a resolving nameserver b) What is a resolving nameserver? A nameserver that performs recursive lookups on behalf of clients. It caches results that can re-used by other client lookups. c) What is an authoritative ( advertizing ) nameserver? A nameserver that is authoritative for a zone and answers on iterative requests from resolving nameservers. c) What is a master nameserver? An authoritative nameserver containing the original zone data, eg in the form of a zone file. Changes to the zone file is loaded into the master nameserver. Also called primary nameserver. d) What is a slave nameserver? A slave nameserver (secondary) is also authoritative for a zone but gets the zone data from a master nameserver. e) What is full zone transfer and how does it work? Full zone transfer is when the complete zone information is transferred from a master nameserver to a slave nameserver. The slave periodically queries the master and when the
serial numbers do not match (if the master has a higher serial number), the master sends the complete zone file via TCP to the slave (AXFR). f) How does incremental zone transfer work. How does it differ from full zone transfer? Instead of sending all zone data, the master only sends increments between the two versions. For this to work, the master must keep track of zone file differences, so when the slave asks to be updated from a specific serial number, the master only sends differences from that previous number to the most updated. This is called IXFR and is also made with TCP. g) How does DNS notify work? When a change has been made in the master zone file, the master notifies all slaves of the change. The slaves can then proceed with IXFR or AXFR. h) What is the full domain name (FQDN) of the IPv4 address 192.34.5.6 as it could appear in a PTR record? 6.5.34.192.inet.arpa i) What is the full domain name (FQDN) of the IPv6 address 2001:6b0:1::246? 66.4.2.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.b.6.0.1.0.0.2.ip6.arpa 8. DNS II (5p) Cache effectiveness is an important and fundamental part of the DNS design. Answer the following questions: a) Assume that you have a large site with many resolving nameservers but a very limited bandwidth link to the rest of the Internet which you want to use as little as possible. How can you design DNS at this site in order to increase caching? (2p) A common way to better use caching on a site is to use one single nameserver as a forwarder. All other resolving nameservers on a site forward their external (queries that they are not authoritative for) to the forwarder instead of quering the root nameservers (or other cached external nameservers). The forwarder itself make external iterative queries starting with the root nameservers. With this arrangement, the forwarder builds up a common cache for all resolving nameservers of the site. Note that this question is about resolving nameservers, there is no mentioning of zones and authoritative nameservers. Answers about master and slave nameservers or settings of TTL are not relevant. b) DNS caches can be exploited by attackers using DNS cache poisoning. What is DNS cache poisoning? Explain its effects for an end-user, how it can be detected, and avoided? (1.5p) DNS cache poisoning is made by inserting false DNS result records in a caching (resolving) name-server's cache. Specifically, it is common with a fake NS record mapping redirecting queries to a nameserver under the control of an attacker. A user then makes accesses to what seems to be a real web-page (for example) but are in reality made to a fake sites where false information can be planted. Without end-to-end security (such as TSL or SSH) it is difficult to detect false DNS mappings, since it is difficult to know which IP addresses are actually correct. One could query other nameeservers or make recursive queries, but this is difficult in practice. DNSSEC is a systematic way to avoid cache poisoning. d) Describe one method an attacker may use to perform DNS cache poisoning. (1.5p) (1) An attacker tries to inject false replies to queries made by a resolving name-server A towards an advertising nameserver B. The attacker must spoof a message which A accepts as correct before the correct reply is received from B. To do this, the attacker must know (or guess) the source port of A, the transaction id and the destination address B. Additionally, the attacker can also slow down the reply by (eg) attacking B and thus get more time to fake a reply. Another way is to lure a client to make an access to a rogue nameserver who in its response
will append glue records for a well-known NS mapping to a rogue address. Other clients using the same resolving nameserver A will be directed to the rogue address when quering for addresses of the well-known domain. 9. Routing I (5p) Please answer the following question in a concise way. e) What is asymmetric routing? Traffic between two end-points takes different paths in different directions. To-traffic takes a different path than the return traffic. f) What is equal-cost multi-path? Several paths computed by a routing protocol with equal costs. Such paths can be used for load-balancing of traffic. g) What is route-preference (also known as administrative distance )? Priority of different protocols. For example, a route computed by BGP can have higher route preference than the same route computed by OSPF, in which case the OSPF route has preference over the BGP route. h) Explain the hot-potato routing policy If an external route is announced to a network on several exits, a hot-potato routing policy chooses the closest exit. i) What is the difference between a routing information base (RIB) and a forwarding information base (FIB) A RIB contains all routing protocol information necessary for computing routes. A FIB is a compiled table of forwarding information including sufficient information to make a local lookup. RIBs contain per-protocol information. FIBs are optimized for fast lookups. RIBs are in the control-plane, FIBs are made for the data-plane. j) What is route redistribution? A transfer of a route from one routing protocol to another. For example, routes from an internal routing protocol can be redistributed into BGP. k) What is an aggregate route? When is it used? A route composed of several sub-routes. Often used when announcing a more general route from a sub-network. l) What are the most important advantages of link-state routing protocols compared to distance-vector routing protocols? Full topology information causing more correct route computation, faster convergence, better debugging information, and less protocol traffic. m) How does path-vector extend distance-vector? In particular, how does path-vector extend distance-vector in the case of BGP (Border Gateway Protocol)? Path-vector records the path a route has been propagated in order to detect loops. In BGP the path vector consists of an vector of AS numbers. n) Name three methods to counter the count-to-infinity instability problem encountered in distance-vector protocols. Split-horizon, poison reverse, triggered update, hold-down.
10. Routing II (5p) A 4 11.1.0.0/24 C D 2 8 E 3 3 8 F B 10 8 G 3 4 11.1.1.0/24 Regard the multi-homed network in the figure consisting of routers C-G that constitute the autonomous system AS1. A and B are uplinks in two different autonomous systems. Assume routers C-G run a link-state routing protocol such as OSPF (Open Shortest Path First) as intradomain routing protocol. The link metrics are shown in the figure for the internal network. There are two BGP (Border Gateway Protocol) sessions between A-C and B-G. There are two access networks, 11.1.0.0/24 and 11.1.1.0/24. All other links are unnumbered point-to-point links, where there is no IP-subnet associated. The router-id's given in the figure (A-G) represent routable IP host addresses. Initially there is no transit traffic passing through AS1. a) Compute the Dijkstra algorithm from router C for the internal network AS1. Use C-G as routerid's that should be a part of the computation along with the two access networks. Complete the table below indicating each step in the computation. Indicate cumulative cost using parenthesis after the routerid/network. Are there any equal-cost multipath routes? (3p) Step Permanent set Tentative set Comment 1 C(0) 11.1.0.0/24(4), D(2), E(8), F(8) 2 + D(2) 11.1.0.0/24(4), F(8), E(5), G(12) 3 + 11.1.0.0/24(4) F(8), E(5) G(12), C's neighbors added to tentative D added to permanent, and its neighbors added to tentative 4 + E(5) F(8), G(12), F(8) Note, two equal cost paths to F with two different nexthops! 5 + F(8) G(11) 6 + G(11) 11.1.1.0/24(15)
7 + 11.1.1.0/24(15) Equal cost-multipath is first found to F (from C) and all networks which pass through F: G, and 11.1.1.0/24. b) Assume you want all external traffic(both incoming and outgoing) to pass via the C-A peering and no external traffic to pass via the G-B peering. How would you configure your routing? Explain in words how your intra-domain routing protocol and BGP should be configured, routes be announced and/or redistributed.(2p) C announces the prefixes of AS1 externally via BGP while no prefixes are announced by G in order to get all incoming traffic via C. To get all outgoing traffic via C, a default route can be announced from C via OSPF internally, for example. 11. Autoconfiguration (5p) Please answer the following questions: a) How do you ensure that two hosts on the same link do not use the same link-local address? (1p) By probing for addresses, typically using an ARP request for the probed address. If no answer is sent, the address can be used. The address can be constructed via random assignment, in IPv6 also via MAC address append to the link-local prefix. In any case, probing must still be done. b) What are the source and destination IPv4 addresses of initial DHCP requests sent by a host that has not yet obtained a routable address? (1p) 0.0.0.0 and 255.255.255.255 respectively. c) Using IPv6 stateless autoconfiguration, how are routable addresses obtained by a host? (1p) Using router advertisments / router solicitations d) How is expiration of addresses handled by DHCP clients: How do clients know when addresses expire? How do clients act in order to lengthen the lease? How do clients act when an address lease actually expires? (2p) Clients lease addresses for a specific time period. When 50% of the time has expired, a new DHCP request is made, thereafter again when 87.5% of the time has expired. If the server still does not reply, the client will have to start from scratch by obtaining a new address using the discover mechanism. 12. Tunneling and NAT (5p) Please answer the following questions in a concise way: a) Name two uses of tunneling in IP networking (1p) IPv6 over IPv4, Multicast over IP, IPSEC, Mobility, L2/L3 VPN, pseudo-wire, etc, etc. b) TTL(Time To Live) and MTU(Maximum Transmission Unit) may pose problems when using tunneling. Why is this so? (2p) In a tunnel, the TTL is not decremented (automatically). This may lead to reduced debugging possibility, ICMP does not work correctly. MTU: an extra header is used for encapsulation which reduces the (relative) payload so that extra fragmentation may be necessary. c) Suppose a host on a private network with private IPv4 address A, opens a UDP stream to a destination with global IPv4 address B via a symmetric NAT with global IPv4 address C. The source port of the stream at A is P and the destination port of the stream at B is Q.
Propose a NAT binding in the NAT after the initial UDP packet has been sent from A to B. (1p) NAT binding: A/P <-> C/X (X is ephemeral) Filtering: B/Q d) In the NAT setting described in the previous question, provide a networking situation where a symmetric and a full-cone NAT would yield different results. Explain why. (1p) In a full-cone NAT, another host, D, can send a packet to C/X and thus reach A. In a symmetric NAT, only B can use the binding from the outside.