Final Exam Prep Questions Flashcards

Question 1

Q

IS-ISControl Plane or Data Plane?

Answer

A

Control Plane– IS-IS is used to calculate routes that allow routers to later forward data packets, but does not carry data for any application

Question 2

Q

IPControl Plane or Data Plane?

Answer

A

Data Plane – the actual IP packets that are forwarded by routers are the packets that contain application data

Question 3

Q

UDPControl Plane or Data Plane?

Answer

A

Data Plane – with UDP the actual packets contain application data

Question 4

Q

DHCPControl Plane or Data Plane?

Answer

A

Control Plane– DHCP is used to automatically assign IP addresses to end hosts, but DHCP messages do not contain any application data themselves

Question 5

Q

802.11 (WiFi)Control Plane or Data Plane?

Answer

A

Data Plane– 802.11 is a link layer protocol that carries data for applications or higher level protocols (which would be considered “data” by the link layer, even if they are not data at the application layer)

Question 6

Q

Name some situations/scenarios in which using SDN provides a benefit.

Answer

A

1) When things break2) Network updates3) Research or Testbed network

Question 7

Q

Explain how SDN provides a benefit when it comes to things breaking in a network.

Answer

A

policies are centralized in an SDN controller, makes it easier to get a “big picture” of what is happening- problems can be found and fixed more easily

Question 8

Q

Explain how SDN provides a benefit when it comes to updating a network.

Answer

A

No new hardware, just update software- Updating policies is easier and centralized

Question 9

Q

Explain how SDN is useful in a research or testbed network.

Answer

A

No new hardware needed- Easier-Cheaper- Rapid Iteration

Question 10

Q

Name some places where network virtualization is useful.

Answer

A

multi-tenant data centers (“the cloud”)- R&D environments - computer networking classes

Question 11

Q

Name some places where network virtualization is not particularly useful.

Answer

A

when cost outweighs benefits- networks that are highly sensitive to latency

Question 12

Q

Explain how network virtualization provides a benefit in multi-tenant data centers

Answer

A

allows each tenant the illusion that they have their own private network- allows tenant to configure the network to their needs

Question 13

Q

Multi-tenant data centers are also known as ______.

Answer

A

“The Cloud”

Question 14

Q

Explain how network virtualization provides a benefit in R&D environments.

Answer

A

isolates experiments from the rest of general network traffic

Question 15

Q

Explain how network virtualization provides a benefit in computer networking classes.

Answer

A

allows learning and experimenting without affecting or breaking the rest of the network

Question 16

Q

When might network virtualization be overkill? Give an example.

Answer

A

when the cost outweighs the benefitsExample: Home/small office networks used to connect to ISP

Question 17

Q

When is network virtualization a bad idea on networks that are highly sensitive to latency?

Answer

A

system critical cyber-physical devices such as:- launch space vehicles- air traffic control- nuclear reactor

Question 18

Q

Why use the Pyretic programming API when the hardware itself exposes the OpenFlow API?

Answer

A

The Pyretic API provides a high-level abstraction for SDN programmers- The OpenFlow API is a low level API, on the level of assembly language- It is difficult to develop applications with the OpenFlow API- the Pyretic runtime provides an efficient runtime that automatically installs generated low level rules on hardware devices throughout the network

Question 19

Q

How does a network policy implemented in python and executed on a Pyretic con-troller result in policies on OpenFlow switches?

Answer

A

1) programmer specifies a high level policy using Pyretic API2) The Pyretic runtime connects via sockets to OpenFlow clients on the network3) The Pyretic runtime interprets packets and using its socket connection to install OpenFlow rules- these connections allow the Pyretic runtime to perform other actions, like proactively installing rules to reduce network latency, reading counters, etc

Question 20

Q

Describe the function of the following pyretic network policy function:flood()

Answer

A

Returns one packet per local port on the network spanning tree.

Question 21

Q

Describe the function of the following pyretic network policy function:match(dstip=‘192.168.1.15’) & match(srcip=‘192.168.1.120’)

Answer

A

Two separate match predicates are composed, the result matches any packet that has destination IP = 192.168.1.15 and source IP – 192.168.1.120

Question 22

Q

Describe the function of the following pyretic network policy function:match(dstip=‘10.0.0.8’)&raquo_space; fwd(12)

Answer

A

A single match predicate sequentially composed with another, the result of which matches packets any packet bound for IP 10.0.08 and forwards it along port 12. This effectively “filters out” all traffic not bound for IP 10.0.0.8.

Question 23

Q

Describe the function of the following pyretic network policy function:match(dstip= ‘10.0.0.1’)&raquo_space; ( match(srcip=‘10.0.0.15’)&raquo_space; drop() +match(srcip= ‘10.0.0.25’)&raquo_space; modify(dstip=‘10.0.0.30’) )

Answer

A

all traffic not bound for IP 10.0.0.1 is filtered, then:- if the packet is from IP 10.0.0.15, it is dropped- if the packet is from 10.0.0.25, it is returned, with the destination IP rewritten to 10.0.0.30

Question 24

Q

What are the three steps of traffic engineering?

Answer

A

1) Measure2) Model3) Control

Question 25

Q

What are the two things that need to be measured in traffic engineering?

Answer

A

1) Topology2) Traffic

Question 26

Q

How could topology be measured for the purposes of traffic engineering?

Answer

A

1) routers may self-report (Link-State protocol)2) entered as data by a network engineer (most common)*both the connectivity and the capacity of each router

Question 27

Q

How could traffic be measured for the purposes of traffic engineering?

Answer

A

“simple counters” measurement technique * we want to know how much traffic is on each part of the network but don’t necessarily need the details of specific flows

Question 28

Q

What are two ways that control could be implemented with software engineering?

Answer

A

1) adjusting link weights (“traditional”)2) using SDN to directly control routes

Question 29

Q

How are link weight most commonly used to control network traffic?

Answer

A

this indirectly affects the routes calculated by the routing protocol- link weights are more often used this way than to represent any “real” property of the network, like bandwidth or link latency

Question 30

Q

In inter-AS multipath, what properties of the paths need to be equal in order to allow multipath over those paths?

Answer

A

LOCAL_PREF, the local preference parameter - AS_PATH length, as determined by counting the number of ASes in the AS_PATH - MULTI_EXIT_DISC, the MED value IGP metric to the EXT_HOP, i.e., equal “hot potato” routing distance

Question 31

Q

How does using pods and pseudo-MACs improve the scalability of a Layer 2 network?

Answer

A

changes the flat layer 2 addressing (MAC) into a hierarchical addressing (pseudo-MAC)- switches only need to store a forwarding entry for each host in the same pod plus one for each other pod, rather than needing an entry for each host on the entire network- similar hierarchical concept as IP/layer 3

Question 32

Q

What are the advantages of using a Jellyfish topology over a traditional hierarchical data center topology?

Answer

A

Network Load Balancing- Higher Capacity- Shorter Paths- Incremental Expansion

Question 33

Q

How does NETWORK LOAD BALANCING in a Jellyfish topology provide an advantage?

Answer

A

Network Load Balancing – prevents bottleneck links and heavily loaded aggregation or core switches

Question 34

Q

How does the HIGHER CAPACITY in a Jellyfish topology provide an advantage?

Answer

A

Higher capacity – since the network is balanced, more hosts can reasonably be hosted on a network with the same number of switches

Question 35

Q

How do the SHORTER PATHS in a Jellyfish topology provide an advantage?

Answer

A

Shorter paths – shorter average number of hops between any two hosts results in faster network performance

Question 36

Q

How does the INCREMENTAL EXPANSION in a Jellyfish topology provide an advantage?

Answer

A

Incremental expansion – allows adding switches to the network without reconfiguring the existing network infrastructure or adding additional “higher-level” switches

Question 37

Q

What are the drawbacks or problems with using a Jellyfish topology?

Answer

A

• Does not handle heterogeneous switch devices well• Long cable runs between random switch pairs may be necessary, but are inconvenient and difficult to install

Question 38

Q

Briefly describe the functions of the logically centralized Fabric Manager used in PortLand.

Answer

A

The Fabric Manager is primarily responsible for maintaining network configuration soft state.- Using this soft state, the Fabric Manager performs ARP resolution, provides multicast capability to the network, and achieves fault tolerance goals.

Question 39

Q

Where does the Fabric Manager used in PortLand reside?

Answer

A

The Fabric Manager is a user process, running on a dedicated machine.- This machine may be located on the network itself, or it can reside on a separate control network.

Question 40

Q

What are the four components of a PMAC in a PortLand network, and what does each component encode?

Answer

A

This encoding consists of four components in the format:pod.position.port.vmid

Question 41

Q

Explain how PMAC (Pseudo MAC) addresses are generated for end hosts in a PortLand network.

Answer

A

A PMAC encodes the position of an end host in a fat-tree network.

Question 42

Q

What does the POD component of a PMAC address encode?

Answer

A

The pod (first) component encodes the pod number the end host and the edge switch reside in.

Question 43

Q

What does the POSITION component of a PMAC address encode?

Answer

A

The position component (second) encodes the endhost’s position in the pod.

Question 44

Q

What does the PORT component of a PMAC address encode?

Answer

A

The port component encodes the switch’s physical port number the end host is attached to.

Question 45

Q

What does the VMID component of a PMAC address encode?

Answer

A

The vmid component encodes a unique ID for each virtual machine that is present on the end host. - The edge switch maintains a mapping for each VM, which uses its own AMAC (actual MAC) address. - This permits multiplexing of virtual hosts resident on a single physical host.

Question 46

Q

How does PMAC design improve forwarding table sizes on large scale data center networks?

Answer

A

The use of PMACs greatly simplify layer 2 forwarding due to their hierarchical nature. - Switches no longer need a forwarding table entry per virtual host. - A single forwarding table entry can be used to aggregate hosts, enabling forwarding behavior that exploits longest prefix match.

Question 47

Q

Use Big O notation to describe the switch state size when using AMACs.

Answer

A

O(n)- n is the number of virtual hosts in the data center

Question 48

Q

Use Big O notation to describe the switch state size when using PMACs.

Answer

A

O(k)- k is the number of ports on switches used to construct the fat tree network

Question 49

Q

Describe at a high level how a data center could generate a Jellyfish topology for their specific network.

Answer

A

an approximation algorithm is used to generate a RRG (Random Regular Graph)- The result is a blueprint for the Jellyfish topology that can be used to physically cable the switches and servers

Question 50

Q

What values are needed as input in order to generate a Jellyfish topology?

Answer

A

1) N = num of racks/switches2) k = num of ports per switch3) r = num of ports used to connect to other switches

Question 51

Q

Describe at a high level how a Jellyfish topology can be incrementally expanded.

Answer

A

To incrementally add a new server rack, it is not necessary to generate a new RRG with N+1, k, and r- we can add the new rack by iteratively selecting connections between other ToR switches and replacing that connection with two new connections, each to the new switch- This maintains the previous connectivity of the topology, and also consumes two of the r ports on the new ToR switch dedicated to connecting to other ToR switches- This process is repeated until one or zero or the r ports remain

Question 52

Q

Can we expect an incrementally expanded Jellyfish topology to be uniformly random after an incremental expansion?

Answer

A

after expansion, the new topology CANNOT be expected to beuniformly random, as it would be if a new RRG was created and the entire data center re-cabled appropriately

Question 53

Q

What kinds of attacks can BGPSec successfully protect against?

Answer

A

● A BGP message could be sent to a router by some host that is not the router’s legitimate neighbor● An AS could lie about being the origin of a particular subnet ● An AS could lie about the AS-path to a particular subnet

Question 54

Q

Scenario: A BGP message could be sent to a router by some host that is not the router’s legitimate neighbor. Other than BGPSec, how might this attack be prevented?

Answer

A

Although BGPSec provides session authentication, this kind of attack can also be prevented without BGPSec by using the “TTL Hack”

Question 55

Q

Scenario: An AS could lie about being the origin of a particular subnet. How might BGPSec prevent this type of attack?

Answer

A

BGPSec prevents this by providing certificates that sign the origin claim

Question 56

Q

Scenario: An AS could lie about the AS-path to a particular subnet.How might BGPSec prevent this type of attack?

Answer

A

BGPSec prevents this by providing a chain of signed paths, each partial path in the chain being signed by the AS that advertised that part of the path.

Question 57

Q

How does an attacker who performs BGP hijacking prevent being detected by traceroute?

Answer

A

When an attacker performs a BGP hijack it leaves its own AS out of the path.- It can ensure that even traceroute cannot discover it by simply not decrementing the TTL field on the traceroute when it passes through the attacking AS. - To traceroute, it then looks like that AS isn’t actually there.

Question 58

Q

How can DNS be manipulated (i.e., attacked) to allow someone to become a “man-in-the-middle”?

Answer

A

There are several ways this could happen, but the most common is DNS poisoning.

Question 59

Q

Explain DNS poisoning as it might be used in a “man-in-the-middle” attack.

Answer

A

attacker SPAMs DNS server with bad mappings- eventually one matches and DNS accepts and caches is- DNS responds to future requests with the new bad mapping- the attacker collects traffic and/or spoofs the legitimate server

Question 60

Q

How can ARP be used to mount a “man-in-the-middle” attack against a host on the same local (Layer 2) network as the attacker?

Answer

A

ARP Poisoning: An attacker could send gratuitous ARP responses for a particular IP address to hosts on its local network so that those hosts send messages to the attacker’s MAC instead

Question 61

Q

How is ARP poisoning different from DNS poisoning?

Answer

A

ARP poisoning works similarly to DNS poisoning, except that there is not ID value that the attacker needs to guess- A host will accept an ARP response even if no ARP request for that IP→MAC mapping was ever made – such a response is referred to as a “gratuitous ARP response”- The main drawback compared to DNS poisoning is that the attacker must be on the same local network as the target

Question 62

Q

Why are WiFi networks particularly vulnerable to ARP poisoning MITM attacks?

Answer

A

The main drawback compared to DNS poisoning is that the attacker must be on the same local network as the target- Users connected to the same “public hotspot” are all on the same local network

Question 63

Q

How do SYN cookies work?

Answer

A

The server does not allocate resources for the TCP connection immediately upon receiving a SYN packet, but instead waits for the ACK to allocate those resources.- the server’s SYN/ACK response to the SYN packet contains a special “SYN cookie” that it uses as the connection’s initial sequence number. - When the server gets an ACK, it can calculate whether or not the sequence number in that ACK could have been legitimately generated as a SYN cookie.

Question 64

Q

How do SYN cookies prevent resource exhaustion type denial of service (DoS) attacks on a server

Answer

A

If the ACK sequence number (SYN cookie) checks out, then the server knows1) that the client has engaged in the entire 3-way handshake, rather than sending spurious ACKs, and 2) the client’s IP address given by the IP headers is it’s legitimate address, because otherwise it wouldn’t have received the SYNACK that contains the SYN cookie.

Answer 65

A

The /12 subnet contains 2^(32-12) = 2^20 = 1048676. So 1048576/1048576 = 1 packet to observe

Answer 66

A

BGP does not validate information in routing announcements, so a manipulator can announce any path they want and claim ownership of a victim’s IP prefix.

Answer 67

A

Origin Authentication uses a trusted database for verification so an AS can’t claim ownership of a victim’s IP prefix, but they can still announce a path that ends at the proper AS, although the path does not physically exist.

Answer 68

A

soBGP uses origin authentication and a trusted database to guarantee that any path physically exists, but the manipulator can advertise a path that exists but is not actually available.

Answer 69

A

S-BGP uses path verification, which limits a single manipulator to announcing available paths, but they could announce a shorter, more expensive, provider path while actually forwarding traffic on a cheaper, longer customer path.

Answer 70

A

Data plane verification prevents an AS from announcing a path and forwarding on another, so the manipulator must actually forward traffic on the path he is announcing.

Answer 71

A

Defensive filtering polices the BGP announcements made by stubs. - With the model in the paper, each provider keeps a prefix list of the IP prefixes owned by its direct customers that are stubs. - If a stub announces a path to any prefix it doesn’t own, then it is dropped. In this way, if all providers correctly implement this it eliminated attacks by stubs.

Answer 72

A

1) Announcing longer paths can be better than announcing shorter ones2) Announcing to fewer neighbors can be better than announcing to more.3) The identity of the ASes on the announce path matters since it can be used to strategically trigger BGP loop detection.

Answer 73

A

advertising the shortest path will only pick up traffic from one smallprovider- Announcing a longer path to the large provider, will attract more traffic overall as the large provider will prefer this path over the shorter, peer path as it will be cheaper.- It is better for the manipulator to attract traffic from larger AS. - This strategy will work against any secure routing protocol, except when launched by stubs in a network with defensive filtering, because it is only implementing a different export policy than usually used.

Answer 74

A

In this strategy, by not exporting to certain Tier providers, customer paths to the victim can be eliminated and influential ASes will be forced to choose shorter peer paths over a longer customer path because the customer path was not made known to them. - This will work against any secure protocol as it is just using a clever export policy to manipulate traffic.

Answer 75

A

With false loop prefix hijack, the manipulator claims an innocent AS originates the prefix to his provider. But when the false loop is announced, BGP loop detection will cause the AS to reject the path, removing the customer path from the network. - This will force large ISPs to choose shorter peer paths. - Unlike the first two attacks, this one will only work against BGP, origin authentication or soBGP because it involves false advertising of the path announced by an innocent AS.

Answer 76

A

Malicious ASes change their providers often to avoid being detected or to avoid the negative consequences of their customers activities.- they are also known to connect to Providers with lax security policies and / or long response times to abuse complaints.- Malicious ASes have longer periods of downtime, due to depeering from their neighboring ASes and detection avoidance strategies they employ.

Answer 77

A

ASWatch captures these activities by taking snapshots of AS relationships periodically and observing the changes in relationships over time.- These activities are then used to feed the reputation engine that identifies malicious ASes.

Answer 78

A

Malicious ASes conduct a wide variety of abusive actions, many of which can be countered with simple blacklisting.- Examples of this would be DoS, spamming, and phishing. - If a malicious AS consistently advertises its entire IP address space, it runs a higher risk of having the entire IP space blacklisted when these activities are detected.- Small fragments of advertised space allow malicious activities to continue their activities in a fresh IP space fragment when they are blacklisted.

Answer 79

A

Rolling attacks are implemented by an attacker to indefinitely continue an attack on a target area.- Continuing to flood the same set of target links will ultimately have negative effects on the attack when router failure detection mechanisms are tripped. - Rolling attacks will make the crossfire attack even harder to detect by changing the attack vector without changing the overall target area.

Answer 80

A

1) Off-path adversaries2) On-path adversaries3) In-path adversaries

Answer 81

A

Off-path adversaries can’t observe DNS queries and responses. - They will trigger specific DNS lookups, but must generate numerous packets in hopes of matching the request the resolver will accept as they must guess the transaction ID and other entropy.

Answer 82

A

On-path adversaries can passively observe the actual lookups requested by a resolver and can directly forge DNS replies.- As long as the resolver receives the forged reply before the legitimate one, it will accept the forged reply.

Answer 83

A

In-path adversaries can both block and modify packets and can block the legitimate packet.- Hold-On can’t help here as the legitimate packets can be blocked.

Answer 84

A

NOTE: This card needs to be broken into smaller questions/answers.- Because the legitimate reply cannot be blocked by on-path adversaries, the “Hold-On” period can be used to wait for the legitimate reply to arrive.- The stub resolver/forwarded first learns the expected RTT and TTL associated with legitimate traffic to remote recursive resolver. - Then after issuing a DNS query, it starts its Hold-On timer- If a DNSSEC-protected response is expected, local signature validation is done for each reply and returns the first fully validated reply to the client or a DNSSEC error if the Hold-On timer expires before one is validated.- If there is no DNSSEC, the resolver compares the timing of the reply to the expected RTT and compares the TTL field in the header to the expected TTL. - If a reply is validated it will return this reply to the client, but if there are mismatches, it ignores the response and continues to wait.- If the timer expires, it will send the last reply received that was not validated.

Answer 85

A

Network Virtualization refers to abstracting the network away from the physical equipment, which can be accomplished without SDN- SDN refers separating the control plane from the data plane by using a centralized logic controller. SDN does not necessarily imply Network Virtualization is employed.

Answer 86

A

Network virtualization software like Mininet allows SDNs to be tested in a virtual environment by using logical processes to emulate physical network devices, including OpenFlow capableswitches.- By emulating the physical equipment, control plane logic for an SDN can be tested without the need for physical equipment and complicated data collection methods.

Brainscape's Knowledge GenomeTM

Final Exam Prep Questions Flashcards

Brainscape's Knowledge Genome^TM