Solutions to Sample Problems on the Exam Study Guide (Remember: these problems are meant to complement those found in past assignments, quizzes and scary tests.). And don't look until you've tried them first. ============= General advice: when answering questions that require a short explanation, use clear, unambiguous language. Be thorough in your explanation but also be to-the-point. Read each question carefully and answer all parts of the question. These questions are not about trivia but are testing your understanding of concepts. For example: Question: explain why there's no one-to-one mapping between domain names and IP addresses. BAD answer: so you can have more than one domain name for an IP address. GOOD answer: Because 1. the domain name space is nearly infinite while the IP (v4) address space is not. And 2. domains form a perfect tree organization but IP networks no not. Why is the first answer bad? because all it does is repeat the question. It's like saying "there's no one-to-one mapping because there's no mapping that's one-to-one." We know that. But WHY isn't there such a mapping? ============= 1. Explain why TCP requires its own mechanism for assembling packets in the right order, given the fragmentation/reassembly mechanism that's already found in IP? The order and frequency of TCP packets being sent is determined by the nature of the application program, not by properties of a network. For example, your program may need to send one 64-byte packet every 30 seconds. 64 bytes probably won't cause fragmentation when seen as an IP packet, but the different packets that are sent must still be put in the right order at the receiving end. That is, the receiver needs to process the packets in the same order that they were sent. 2. Assume your routing table is as follows: 24.190.240.0/21 dev eth0 10.1.0.0/16 via 10.0.0.2 dev eth1 10.0.0.0/8 dev eth1 127.0.0.0/8 dev lo default via 24.190.240.1 dev eth0 Assume further that your host is known as 10.0.0.1 on 10.0.0.0/8 and 24.190.242.2 on the internet. All your built-in chains have policy ACCEPT unless otherwise indicated. Write iptables rules to effect the following conditions: A. drop tcp packets with the syn bit set from reaching your host through eth1 if the tcp connection is already ESTABLISHED. hint: read this carefully. Having the syn bit set is not the same as using --syn, which really means --tcp-flags SYN,ACK,RST SYN (that is, among the three flags SYN,ACK and RST, SYN is set and ACK and RST are not, the other flags can be any value). iptables -A INPUT -i eth1 -p tcp --tcp-flags SYN SYN -m conntrack --ctstate ESTABLISHED -j DROP B. Hosts on your intranet 10.0.0.0/8 need to be masqueraded as 24.190.242.2 so they can share this IP on the internet. Show how it's done with iptables. iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j SNAT --to 24.190.242.2 C. You run your site's web server on 10.0.0.5. Redirect all www connections from the internet to the right location iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.0.0.5 Note that a corresponding SNAT rule is not needed because you're not DNATing onto the same network. If we are redirecting internal connections, like in the case of the microsoft spoof, you'll also need: iptables -t nat -A POSTROUTING -o eth1 -d 10.0.0.5 -p tcp --dport 80 -j SNAT --to 10.0.0.1 Otherwise, returning packets won't pass through the "NAT box". D. Block all other state NEW connections to your router from the (outside) internet except ports 80 and 22. ( I should've specified tcp or udp - I would be more clear on a test question.) iptables -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT iptables -A FORWARD -i eth0 -m state --state NEW -j DROP Please remember: IP conntrack states apply to all IP connections, not just TCP - read the "longer iptables tutorial", chapters 3 and 4. E. Explain why DNAT should not be done in the POSTROUTING chain. Because then the packet may not know how to get to its new destination. Routing needs to look at the destination address to determine where to send it. 2a: a. Explain the meaning of the RELATED state. How is "RELATED" different from "ESTABLISHED"? A program may dynamically create connections with port numbers that are not statically predictable. The most common example is FTP. The conntrack engine looks at the source/destination ip/ports of the packets to determine if they belong to the same connection. When packets are seen going in both directions, the connection is considered ESTABLISHED. A packet is considered RELATED if it was created by a program that already has an ESTABLISHED connection. Please don't regurgitate what I said - put it in your own words. b. Is the state "ESTABLISHED" in iptables -m state the same as the "ESTABLISHED" state in TCP? (hint: read the Andreason tutorial). No. iptables (ip conntrack engine) considers the connections ESTABLISHED after the SYN+ACK packet comes back from the server, BEFORE the 3-way handshake is complete. 2b. Suppose you used the following rules on 10.1.0.3: iptables -A FORWARD -s 10.1.0.3 -d 147.4.183.0/24 -j DROP iptables -t nat -A POSTROUTING -d 147.4.183.0/24 -j SNAT --to 10.1.0.3 Assume there are no other rules in effect and the the default policy of FORWARD is ACCEPT. Explain carefully the effect of the above two rules. What will happen to packets being routed by 10.1.0.3? -- Answer: all packets will have their source addresses changed to 10.1.0.3. The FORWARD rule will have no effect because the POSTROUTING chain is traversed last, after FORWARD. 3. Explain the difference between Full Cone NAT and (port) Restricted Cone NAT. -- Answer: In Restricted Cone NAT an external host can only send a packet to an internal host after the internal host has initiated the connection to the ip address (and port if it's "port restricted") of the external host. Full-cone nat is full time: once a port is mapped any external host can connect to the internal host via the ip and mapped port of the NAT box. 3a. Explain the difference between "interior" and "exterior" routing protocols. Why are both needed? Why is OSPF only an "interior" gateway protocol? interior refers to inside an autonomous system, and guarantees the optimal path within an area (and close to optimal with a backbone area). exterior (BGP) routes between autonomous systems, and only guarantees non-circular routes, but not necessarily optimal 3b. What is the principal difference (and advantage) of OSPF compared to RIP (or "distance vector" algorithms). OSPF: link state RIP : distance vector. OSPF: each router only contains info about its immediate neighbors (state of its link) to all other routes RIP: each router communicates its entire routing map to only its neighbors 3.5. Explain why ARP might no longer be needed with Ipv6 The 48bit mac address is embedded within the host address, because the address is now 128 bit as opposed to 32 bits. 3.6. List two other differences between IPv6 and IPv4 OTHER than ARP and the lengths of the addresses. no Checksum in header fragmentation in extension header, no on-the-fly fragmentation 4. Describe the principal differences between TCP and UDP. Is TCP always better? There are many differences that can be described, but you must mention: TCP is *connection oriented* because there's a connection establishment (3-way handshake) and termination sequence. UDP is "connectionless". TCP implements a "reliable" byte stream in that it guarantees that bytes are received in order and that non are lost (through its acknowledgement, sliding window and retransmission algorithms). UDP is capable of broadcasting and multicasting, which TCP cannot do, so TCP is not always better. The word "reliable" should only be understood in a technical sense. 5. If the advertised window of a TCP receiver becomes too small, explain how the sender will be informed when it's now large enough. To periodically sends out "1-byte probes" to illicit responses to see if the window has increased. 6. Explain as precisely as possible how a TCP sender uses the "advertise window" of the receiving side. The ammount of information that has been sent, but have not been acknowledged, must be <= the ad window of the peer. 6b. Does a TCP agent acknowledge a packet as soon as it's received? If not, describe a specific situation in which the acknowledgement will be delayed. Only packets that have arrived in order are ack'ed. Out-of-order packets are buffered, but not ack'ed. 7. In what way is the Jacobson/Karels algorithm an improvement over the original algorithm, which only took the weighted average of sample RTTs? The original algorithm does not take into account possibliy large variances in the samples, which means that the average is not really a realiable measure. J/K also keeps track of the average variance. 7b. Will a larger average deviation value lead to a longer or shorter timeout value with the Jacobson/Karels algorithm? Explain using either math, or careful reasoning. longer (see above explanation). This is also clear from the formula: Timeout = ERTT + 4*DEV 8. List the sequence of steps that occurs when a TCP host receives a closing signal from the other host (i.e, as passive agent). Assume nothing "out of the ordinary" happens. Receive Fin Send Ack for Fin --- does what it needs locally to wrap up connection --- Send Fin to peer Receive Ack for this fin. Closes connection. 9. (related to above) What is the purpose of the TIMEWAIT state. Why does it only exist for active close (side initiating the close) as opposed to passive close. That is, why is the 1-2 minute timeout not needed in the CLOSE-WAIT state. The completion of the above sequence implies that each side has sent Fins and received acknowledgements. In the active sequence, the active agent last act is to send a ACK. It shouldn't receive anything from the other side anymore (there's no Ack for Acks). So it can't be sure that this Ack will arrive and complete the needed sequence. It waits longer than it takes a packet to traverse the internet to make sure that it either arrived, or that it was lost, which will cause the passive side to retransmit its Fin. 10. Explain why the TCP congestion control algorithm is needed in addition to the sliding window algorithm. That is, what's the difference between "flow control" and "congestion control". Flow control is a mechanism that regulates the rate of transimission between the two endpoints of a connection. Each side knows, through the ad. window field of the TCP header, how much info the other side is capable of handling. When a network becomes congested, the TCP agents should also slow down their rates of transmission to lessen the burden on the network. But this is much more problematic since the TCP agents can't see the details of the congestion. That is, the ad. window does not indicate if there's congestion. It will thus simply interpret lost packets (no ack received) as signs of possible congestion (or use the ECN bit which allows it to know a little bit more of what's going on). 11. Explain the difference between an A record and an NS record. What is a type AAAA record? an A record is an answer record for forward DNS lookup (look up ip address given domain name). NS is a nameserver record that gives name servers for some domain. AAAA is an ipv6 answer record 11b. What is an "authoritive" DNS server? Authoritive means the server contains the requested information locally. It is not retrieved from another DNS server; it is not cached. 12. Explain how reverse DNS lookup works. That is, what is the algorithm for looking up the domain name for a given ip address such as 147.4.253.24. It uses the special domain in-addr.arpa. It will look up the answer for 24.253.4.147.in-addr.arpa using the same algorithm as regular DNS lookup. The type of record retrieved is a type PTR record because the information is not numeric. This causes a problem with CIDR and ip networks split between different organizations, each running its own dns server, putting more pressure on more high-level servers, including root servers.