Examination IK2218 Protocols and Principles of the Internet

EP2120 Internetworking

Date: 16 October 2012 at 14:00–19:00

a) No help material is allowed - You are not allowed to use dictionaries,

books, or calculators! b) You may answer questions in English or in Swedish. c) Please answer each question on a separate page. d) Please write concise answers! e) Put a mark in the table on the cover page for each question you have addressed. f) The grading of the exam will be completed no later than 6 November 2012. g) After grading, EP2120 exams will be available for inspection at STEX (Q-building)

and IK2218 exams will be available for inspection at ???? (?-building). h) Deadline for written complaints is 24 November 2012. i) Course responsible IK2218 is Peter Sjödin, phone 08-790 4255. j) Course responsible EP2120 is György Dán, phone 08-790 4253.

Important note!

Your grade is F in any of these two cases: - if you do not reach at least 10 (ten) points out of 20 for problems 1-4 or - if you reach less than 30 points in total.

We advise you to start with problems 1-4.

Part I (Problems 1-4)

1. IP and addressing (5p) You would like to connect to a public WiFi hotspot, but for some reason DHCP does not seem to work, so you cannot obtain IP address, netmask, etc. You start WireShark to capture the traffic on the WLAN. The lowest IP address you observe in any packet is 213.137.201.2 and the highest IP address is 213.137.206.10. Based on this information you try to manually configure an IP address, default gateway, and netmask for the wireless network interface.

a. What is the longest prefix length that you should consider? What is the corresponding netmask? (1 p)

b. Give the network address and the directed broadcast of the subnet in CIDR notation! What could be a reasonable guess for the default gateway? (1 p)

c. Assume that you have configured the netmask and the default gateway, and by pure luck you configured your computer to use an IP address that is not in use by any other computer. You start your favorite browser, and try to access http://www.google.com. Will your browser be able to download the requested page? (1 p)

d. The IPv6 header can contain a “hop-by-hop options” extension header which if present, must immediately follow the IPv6 header. What is the reason for this? Name one option that can be carried in this header and explain why this option is carried in the “hop-by-hop options” extension header, and not in the “destination options” extension header. (1 p)

e. What is the difference between link-local and unique local addresses in IPv6? How do they relate to private addresses used in IPv4? (1 p)

Solution a. The prefix length should be /21 or shorter, the corresponding netmask is

255.255.248.0. b. The network address is 213.137.200.0/21, the directed broadcast 213.137.207.255.

The default gateway could be 213.137.200.1, but you cannot be sure of this. c. Almost certainly not, as you do not have a name server configured. d. The reason is that the ”hop-by-hop” extension header has to be processed by every

router. One of the options it can carry is the “jumbo payload option”. The routers have to be aware of the size of the datagram and since the ”destination options” extension header does not have to be processed by any router on the path, this option cannot be put there.

e. IPv6 link-local addresses are valid only for addressing on a single link, while a unique local address can be used within a site very much like private addresses in IPv4. Every IPv6 enabled host has a link-local address, but they do not have to have a unique local address.

2. Delivery and address resolution (5p) Consider the following IPv4 network consisting of 2 routers, 3 bridges, and 4 hosts. Routers R1 and R2 have appropriate routing tables. B1, B2, and B3 are learning bridges. Hosts H1 to H4 have one interface each. All ARP caches and the bridges’ learning tables are initially empty.

a. Add the necessary physical (MAC) and logical (IP) addresses, and identify the

subnets. Use small letters to denote the MAC addresses and capital letters to denote the IP addresses (e.g., a-A). (1 p)

b. A process on host H1 sends 150 bytes via UDP to a process on host H4. Show the contents of the learning tables and the ARP caches after the packet has been delivered. Assume that the process on host H1 knows the IP address of host H4, and that ARP snooping is used. (1 p)

c. The process on host H4 received the message sent in b) and replies to the process on host H1 with 250 bytes via UDP. Show the new contents of the ARP caches and the learning tables (ARP snooping is used). (1 p)

d. A process on host H2 sends a message with 200 bytes via UDP to host H3. Show the new contents of the ARP caches and the learning tables. Assume that the process on host H2 knows the IP address of host H3, and that ARP snooping is used. (1 p)

e. How different would the ARP caches and learning tables be in b), if ARP snooping was not used? (1 p)

Solution a. We use A:a to D:d for hosts 1-4. For Router R1, we use E:e, F:f, for the West, and

East interfaces, respectively. For Router R2, we use G:g, H:h for the West and East interfaces, respectively. Subnet 1: A,B,E; Subnet 2: F,G; Subnet 3: H,C,D.

b. H1: e-E H2: a-A H3, H4: h-H B1: a-West, e-East B2: f-West, g-East B3: h-West, d-East R1: a-A, g-G R2: f-F, d-D

c. No new content, the current ARP caches and learning tables have enough information to deliver the message.

d. H1: b-B H2: e-E H3: h-H R1: b-B R2: c-C B1: b-North B3: c-North

e. The ARP cache of host H2 would not have the a-A entry, and the ARP cache of host H3 would not have the d-D entry.

3. IP forwarding (5p) a. In order to specify the path that a datagram should follow through the network to a

destination, you can use the IP option source-routing. What are the two forms you can use? Explain the difference between them. Consider that a datagram that carries a source routing option has to be fragmented into two fragments. Which of the fragments will have to carry the option? (1 p)

A router has the IPv4 forwarding table shown below. Determine the next-hop address and the outgoing interface for the packets arriving to the router with destination addresses as given in points (b)-(e). Destination Next hop Flags Interface

73.0.0.0/16 - U m0 157.29.10.0/24 129.29.10.33 UG m1 112.147.12.0/24 178.147.113.25 UG m2 129.29.10.32/28 - U m1 173.78.34.128/25 129.29.10.34 UG m1 178.147.64.0/18 - U m2 192.16.7.8/32 178.147.92.127 UGH m2 0.0.0.0 73.0.63.1 UG m0

b. 73.16.134.15 (1 p) c. 192.16.7.8 (1 p) d. 178.147.66.37 (1 p) e. 157.29.10.126 (1 p)

Solution a. Strict source routing (SSR) and Loose source routing (LSR). In both cases, the sender

specifies the list of IP addresses that the datagram has to visit. The difference is that for LSR, the path taken between two specified addresses may be arbitrary, while for SSR there must not be an intermediate router. All the fragments must have the source routing option included.

b. 73.0.63.1 on m0 c. 178.147.92.127 on m2 d. 178.147.66.37 on m2, direct delivery e. 129.29.10.33 on m1

4. TCP (5p) Consider two hosts, A and B, connected by a network running IPv6. The capacity of all links is 10Mbps and the round trip time is 100ms. A process PA on host A would like to transmit 10000 bytes to a process PB on host B using TCP. The path MTU is unknown to the sending host, and path MTU discovery is disabled. The receiving host has a receiver window size limit of 3000 bytes, which the sender uses as the initial value of sshthresh for congestion control. The receiver can process the data as fast as they arrive.

a. What is the maximum segment size (MSS) used by TCP? Why? (1 p) b. What is maximum throughput that TCP can achieve from A to B given the parameters

and disregarding congestion control? (1 p) c. Consider that connection establishment was performed, and A received the

SYN+ACK segment from B. Draw a figure that shows the segments exchanged

between A and B from this point until the last byte is transmitted. Assume there are no losses, and delayed ACKs are not used by the receiver, but you should account for congestion control and for flow control. Denote by ISSA the initial sequence number chosen by A. Consider that the initial congestion window size used by A is 1220 bytes, and assume that this is the value of the MSS. For each segment sent by A show the sequence number and the payload length (i.e., the segment size), and for each segment sent by B show the acknowledgement number. (3 p)

Solution a. The MSS is calculated based on the minimum required MTU by IPv6, which is 1280

bytes. It is 1280-40(IP header)-20(TCP header)=1220 bytes. b. The sender can send 3000 bytes of data every 100ms, which makes 30000bytes/second.

The goodput is slightly lower due to IP and TCP overhead. c. The following figure shows the exchange of segments.

A BISSA+1,1220

ISSA+1221

ISSA+1221,1220ISSA+2441,1220ISSA+2

441

ISSA+3661

ISSA+3661,1220ISSA+4881,1220ISSA+6101,560ISSA+4

881ISSA+6661,1220ISSA+

6101ISSA+7881,1220ISSA

+6661

ISSA+9101,560ISSA+7

881

ISSA+9101

ISSA+9661

ISSA+9661,340

ISSA+10001

Note that after the first three segments are sent and acknowledged, the amount of unacknowledged data (in the network) is always 3000 bytes, as it is limited by the receiver window size.

Part II (Problems 5-12)

5. Fragmentation and UDP (5p) a. In principle, the reassembly of fragmented datagrams could be performed in routers.

Nevertheless, in IPv4 and in IPv6 it is only performed in end hosts. Give two reasons that motivate this design choice. (1 p)

An application on host A wants to transmit 10 chunks of data via UDP to host B. The RTT between host A and host B is 10ms. The application passes one chunk of data every 20ms to UDP. Each chunk contains 1400 bytes of application data. The UDP header is 8 bytes long. There are two links between hosts A and B, connected by a router. The MTU of the first link is 1500 bytes, and the MTU of the second link is 600 bytes. The network layer protocol is IPv4. The path MTU is not known to host A.

b. Consider the first datagram sent from host A. What are the IPv4 fragments that arrive

at host B? For all fragments, specify the fragment sizes, the fragmentation offset, and the more fragments (MF) bit. (2 p)

c. How many fragments in total does host B receive? Would it be different if the network layer protocol was IPv6? Elaborate on your answer. (2 p)

Solution a. Examples:

1) The different fragments of a datagram might traverse different paths through the network. The only IP address that they all certainly reach (if not lost) is the destination. 2) Reassembly is resource intensive. It requires a buffer to store the fragments, a timer to decide when to consider a datagram lost if one of the fragments does not arrive.

b. There are 1400+8=1408 bytes to be transmitted. The path MTU is 600 bytes. The IPv4 base header is 20 bytes long. The IPv4 payload in every, except the last, fragment could be up to 600-20 = 580 bytes. However, this is not divisible by 8, so the maximum payload is 576 bytes. This does not hold for the last fragment, whose payload size does not have to be divisible by 8, so the maximum size is 580. The payload, offset and MF values are (all in bytes): 1) 576, 0, 1 2) 576, 576, 1 3) 256, 1152, 0 Observe that 1), 2), and 3) would be the same for each of the 10 packets sent.

c. IPv4: There are 10 UDP segments, and thus 10 IP datagrams will be sent, and each datagram gets fragmented into 3 fragments. Therefore, host B receives 10x3 = 30 fragments. IPv6: Routers do not perform fragmentation in IPv6 and at the same time IPv6 requires that every link in a network has an MTU of at least 1280 bytes. Therefore, an IPv6 host can ignore an ICMP “Packet Too Big” message that specifies an MTU of 600 bytes. If it does so then none of the segments will be delivered. If the host does not ignore the message then the number of fragments will be different. Host A does not know the path MTU prior to sending the first datagram, so it sends the first datagram non-fragmented. The router discards this datagram and it sends an ICMPv6 “Packet too big” message to host A, which includes the MTU size on the next hop (600 bytes). When host A receives this message, it becomes aware of the path MTU, and performs the fragmentation itself for the subsequent packets. Since the packets are sent in intervals of 20ms, and 20ms>RTT, only the first datagram is sent non-fragmented and discarded by the router. Thus, host B receives 9x3 = 27

fragments. The fragment sizes will be different than in IPv4 (but that was not part of the question).

6. Routing I (5p) a. Consider a router D in a network where distance vector routing is used. D has the

following routing table:

Network Next router Distance N1 A 3 N2 B 5 N3 B 6 N4 A 6 N5 C 4 N7 C 2

D receives a routing message from router A, with the following information:

Network Distance

N1 5 N2 5 N3 4 N4 3 N5 4 N6 3

Show the routing table in D, after D has processed the routing message. (2 p)

b. RIP (Routing Information Protocol) uses distance vector routing and one problem with RIP is the well-known count-to-infinity problem. Mention one example of a solution to the count-to-infinity problem and briefly explain how the solution works. (1 p)

c. Give two examples of general disadvantages with RIP (apart from the count-to-infinity problem to which there are several solutions…). (2 p)

Solution a.

Network Next router Distance

N1 A 6 N2 B 5 N3 A 5 N4 A 4 N5 C 4 N6 A 4 N7 C 2

b. Two examples are: Split horizon: do not propagate information about a route over the same interface from

which the route arrived Poison reverse: Advertise reverse routes with a metric of 16 (i.e., unreachable).

c. Examples of disadvantages are: Slow convergence Instability in case of link failures Cannot support network diameters over 15 hops Can only use hop count to determine the best route

7. Routing II (5p) Assume a network according to the figure below.

a. Use the shortest path first principle according to Dijkstra’s algorithm to compute the best route from A to all other nodes in the network. Your solution should show the steps taken in the execution of the algorithm. (2 p)

b. OSPF is a link state routing protocol. It can be said to consist of three different parts (or protocols): Hello, Exchange, and Flooding. Briefly explain the overall purpose with these. (2 p)

c. Which transport protocol is OPSF using for its messages? (1 p)

Solution a. Dijkstra

M DB (Path) DC (Path) DD (Path) DE (Path) {A} 2 (A-B) – – 5 (A-E) {A, B} 2 (A-B) 3 (A-B-C) 5 (A-B-D) 5 (A-E) {A, B, C} 2 (A-B) 3 (A-B-C) 4 (A-B-C-D) 4 (A-B-C-E) {A, B, C, E} 2 (A-B) 3 (A-B-C) 4 (A-B-C-D) 4 (A-B-C-E) {A, B, C, E, D} 2 (A-B) 3 (A-B-C) 4 (A-B-C-D) 4 (A-B-C-E)

b. Hello: Check neighbor relationships and reachability, authentication, designated routers Exchange: Initial link state database transfer from a neighbor when an OSPF router is connected for the first time or after a failure Flooding: The heart of OSPF. Sending LSAs (link state advertisements) , where routers are flooding updates about their link states to all other OPSF routers in the area.

c. OSPF does not use a transport protocol. It sends its messages directly on top of IP.

B A

C E

2

5

1

1

D

3

1

8. DNS – Name Resolution (5p)

a. You are on a computer with the name “my.computer.org”, and want to make a DNS query for ”www.dogs.info.”. You send the query to the following name servers: 1. Your local server (which is also authoritative server for “computer.org.”) 2. A root server 3. The top-level domain server for ”info” 4. The authoritative name server for ”dogs.info”

For each case, explain what response you would get back: what kind of information is in the response (if any), and what record(s) are there? Assume that the request you send is a normal request from a client, with the flag “Recursion desired” set. (You do not need to explain the content of the response packet in detail.) (3 p)

b. You have difficulties remembering the difference between partially and fully qualified domain names, so to be on the safe side you send two different queries to your local name server: for “www.dogs.info.” and “www.dogs.info”. Explain what will happen in the two cases. What does the local name server do, and what is the response? (2 p)

a. 1. The local DNS server will resolve the name for you, either by making an iterative

query or by returning the information from its cache. In any case it will return the address records (A or AAAA) for “www.dogs.info”.

2. A root server will return the (top-level) name servers for the ”info” domain, as NS records with the names of the name servers (in the authority section of the response), and A (or AAAA) records with the IP addresses (as glue records in the additional section).

3. The top level server for “info” will return the authoritative name servers for the ”dogs.info” domain, as NS records with the names of the name servers (in the authority section of the response), and A (or AAAA) records with the IP addresses (as glue records in the additional section).

4. The authoritative name server for “dogs.info” will return the address(es) for “www.dogs.info” as A (or AAAA) records.

b. For the FQDN “www.dogs.info.” the local server will resolve the query and return the addresses as expected. For the PQDN “www.dogs.info” the local name server would probably consider it as a query for a name within the local domain, and hence expand it to “www.dogs.info.computer.org.”, and the lookup would fail, most likely.

9. DNS – Delegation (5p) Consider the following excerpt from a DNS zone file, which comes from the primary authoritative server for a zone.

a. Which is the zone? (1 p) b. The zone in question has been delegated to this server from another server, the

delegating name server. Outline the parts of the delegating name server’s zone file that have to do with the delegation. Write down the relevant resource records, their types and values. (3 p)

c. A client somewhere else on the Internet wants to send an email to an email address within this domain, and therefore makes a DNS query for the mail server. What will be

the result of the query operation, what IP address (or addresses) will the client get? (1 p)

$ORIGIN my.network.org. $TTL 86400 @ IN SOA my.network.org. hostmaster.my.network.org.( 2012101601 10800 3600 604800 3600 ) IN NS ns.my.network.org. IN NS ns2.my.network.org. IN MX 20 mx.my.network.org. ns IN A 192.0.1.5 ns2 IN A 192.0.1.2 IN AAAA 2001:6b01::56 server IN A 192.0.1.38 IN AAAA 2001:6b01::bffd mx1 IN CNAME server

a. my.network.org. b. The delegating name server is most likely the authoritative server for network.org.

Then the relevant parts of the zone file would be:

$ORIGIN network.org. my IN NS ns.my.network.org. IN NS ns2.my.network.org. ns.my.network.org. IN A 192.0.1.5 ns2.my.network.org. IN A 192.0.1.2 IN AAAA 2001:6b01::56

c. An MX query for the mail server would result in IP addresses 192.0.1.38 (A record)

and 2001:6b01::bffd (AAAA record).

10. BOOTP and DHCP (5p) DHCP is not only backwards compatible with BOOTP, it is essentially an extension of BOOTP. Explain how BOOTP was transformed into DHCP, taking care to show how both syntax and semantics were changed. Answer: Syntactically, the change is minor: A field in the BOOTP packet intended for allowing vendors to implement private functionality was given a set of well-defined operations. One of these define the DHCP protocol packet type (and by implication, current state of the sender). Semantically, state machines for DHCP clients and servers were defined and transitions indicated using the packet type fields, to allow a DHCP client to probe for DHCP servers on a subnet, and then request a lease of an IP address and related configuration information. This

lease typically needs to be periodically updated by the client, allowing the server to reuse IP addresses whose leases have been terminated, or expired.

11. NAT traversal (5p) Explain the problem of NAT traversal for services on hosts behind a NAT box. What causes the problem? Why is it hard to resolve? Answer: The problem is that the address translation performed by the NAT is opaque to hosts outside the NATted subnet. They see only the NAT box, and even if a server on the inside were to give a host on the outside its real (internal) address, it belongs to a different address domain, so any host on the outside that tries to use it, will either reach the wrong host, or no host at all. This is not a problem for clients on the internal network, because when a client opens a connection, the NAT box can utilize the connection setup message(s) to create a translation mapping which allows it to correctly route future packets belonging to that connection to the correct host on the inside. When a server starts listening on a port, we sometimes refer to this as a "passive open", since it involves no messages being sent. Thus, there is no way for the NAT box to know that a host on the inside has started accepting incoming connections and create an appropriate translation mapping. The only way to resolve this situation is to modify how both hosts and NAT boxes work, and to introduce some mechanism that allows a host to identify that it sits on a NATted network, locate the NAT box and instruct it to create the appropriate mapping. The NAT box must, of course, also be modified to support this mechanism.

12. Application layer gateways (5p) Most of the time when we talk about firewalls, we refer to firewalls implemented using packet filters, i.e., a (primarily) network-layer gateway. They are, however, sometimes used in conjunction with Application Layer Gateways (ALGs).

a) Explain how an application layer gateway is implemented, and how a host inside the firewall would use one to connect to a service on the outside.

b) Explain why you might want to have both packet filters and application layer

gateways, and give at least two examples of firewall tasks that application layer gateways are better suited to handle than packet filters.

Answers:

a) An application layer gateway (ALG) firewall implements part, or all, of both the client- and server-side of an application layer protocol. When a client wants to use it to connect to a server on the other side of the firewall, its connection will instead go to the ALG.

If the destination is permitted by the ALG, it will open a client connection to the server. To the server, the ALG will now look like the client, and to the client, like the server. The ALG can now examine the application layer messages being sent between the client and server, and decide on a per-message basis what to forward unchanged, what to change before forwarding, and what to discard and not forward.

b) A packet filter is good to have, because it does not need to know about every application, nor about every application layer protocol. An application layer gateway, on the other hand, understands the application layer protocol, and can make decisions based on this understanding.

1. Detecting and blocking malware being downloaded by a protected host.

2. Replacing e.g., pornographic pictures or sensitive information, on web pages being

browsed by a user.