Prep Guide Flashcards
IS-IS
Control Plane or Data Plane?
Control Plane
– IS-IS is used to calculate routes that allow routers to later forward data packets, but does not carry data for any application
IP
Control Plane or Data Plane?
Data Plane
– the actual IP packets that are forwarded by routers are the packets that contain application data
UDP
Control Plane or Data Plane?
Data Plane
– with UDP the actual packets contain application data
DHCP
Control Plane or Data Plane?
Control Plane
– DHCP is used to automatically assign IP addresses to end hosts, but DHCP messages do not contain any application data themselves
802.11 (WiFi)
Control Plane or Data Plane?
Data Plane
– 802.11 is a link layer protocol that carries data for applications or higher level protocols (which would be considered “data” by the link layer, even if they are not data at the application layer)
Name some situations/scenarios in which using SDN provides a benefit.
1) When things break
2) Network updates
3) Research or Testbed network
Explain how SDN provides a benefit when it comes to things breaking in a network.
- policies are centralized in an SDN controller, makes it easier to get a “big picture” of what is happening
- problems can be found and fixed more easily
Explain how SDN provides a benefit when it comes to updating a network.
- No new hardware, just update software
- Updating policies is easier and centralized
Explain how SDN is useful in a research or testbed network.
- No new hardware needed
- Easier
- Cheaper
- Rapid Iteration
Name some places where network virtualization is useful.
- multi-tenant data centers (“the cloud”)
- R&D environments
- computer networking classes
Name some places where network virtualization is not particularly useful.
- when cost outweighs benefits
- networks that are highly sensitive to latency
Explain how network virtualization provides a benefit in multi-tenant data centers
- allows each tenant the illusion that they have their own private network
- allows tenant to configure the network to their needs
Multi-tenant data centers are also known as ______.
“The Cloud”
Explain how network virtualization provides a benefit in R&D environments.
- isolates experiments from the rest of general network traffic
Explain how network virtualization provides a benefit in computer networking classes.
- allows learning and experimenting without affecting or breaking the rest of the network
When might network virtualization be overkill? Give an example.
- when the cost outweighs the benefits
Example: Home/small office networks used to connect to ISP
When is network virtualization a bad idea on networks that are highly sensitive to latency?
- system critical cyber-physical devices such as:
- launch space vehicles
- air traffic control
- nuclear reactor
Why use the Pyretic programming API when the hardware itself exposes the OpenFlow API?
- The Pyretic API provides a high-level abstraction for SDN programmers
- The OpenFlow API is a low level API, on the level of assembly language
- It is difficult to develop applications with the OpenFlow API
- the Pyretic runtime provides an efficient runtime that automatically installs generated low level rules on hardware devices throughout the network
How does a network policy implemented in python and executed on a Pyretic con-troller result in policies on OpenFlow switches?
1) programmer specifies a high level policy using Pyretic API
2) The Pyretic runtime connects via sockets to OpenFlow clients on the network
3) The Pyretic runtime interprets packets and using its socket connection to install OpenFlow rules
- these connections allow the Pyretic runtime to perform other actions, like proactively installing rules to reduce network latency, reading counters, etc
Describe the function of the following pyretic network policy function:
flood()
Returns one packet per local port on the network spanning tree.
Describe the function of the following pyretic network policy function:
match(dstip=‘192.168.1.15’) & match(srcip=‘192.168.1.120’)
Two separate match predicates are composed, the result matches any packet that has destination IP = 192.168.1.15 and source IP – 192.168.1.120
Describe the function of the following pyretic network policy function:
match(dstip=‘10.0.0.8’)»_space; fwd(12)
A single match predicate sequentially composed with another, the result of which matches packets any packet bound for IP 10.0.08 and forwards it along port 12. This effectively “filters out” all traffic not bound for IP 10.0.0.8.
Describe the function of the following pyretic network policy function:
match(dstip= ‘10.0.0.1’) >> ( match(srcip=‘10.0.0.15’) >> drop() + match(srcip= ‘10.0.0.25’) >> modify(dstip=‘10.0.0.30’) )
- all traffic not bound for IP 10.0.0.1 is filtered, then:
- if the packet is from IP 10.0.0.15, it is dropped
- if the packet is from 10.0.0.25, it is returned, with the destination IP rewritten to 10.0.0.30
What are the three steps of traffic engineering?
1) Measure
2) Model
3) Control
What are the two things that need to be measured in traffic engineering?
1) Topology
2) Traffic
How could topology be measured for the purposes of traffic engineering?
1) routers may self-report (Link-State protocol)
2) entered as data by a network engineer (most common)
* both the connectivity and the capacity of each router
How could traffic be measured for the purposes of traffic engineering?
- “simple counters” measurement technique
- we want to know how much traffic is on each part of the network but don’t necessarily need the details of specific flows
What are two ways that control could be implemented with software engineering?
1) adjusting link weights (“traditional”)
2) using SDN to directly control routes
How are link weight most commonly used to control network traffic?
- this indirectly affects the routes calculated by the routing protocol
- link weights are more often used this way than to represent any “real” property of the network, like bandwidth or link latency
In inter-AS multipath, what properties of the paths need to be equal in order to allow multipath over those paths?
- LOCAL_PREF, the local preference parameter
- AS_PATH length, as determined by counting the number of ASes in the AS_PATH
- MULTI_EXIT_DISC, the MED value IGP metric to the EXT_HOP, i.e., equal “hot potato” routing distance
How does using pods and pseudo-MACs improve the scalability of a Layer 2 network?
- changes the flat layer 2 addressing (MAC) into a hierarchical addressing (pseudo-MAC)
- switches only need to store a forwarding entry for each host in the same pod plus one for each other pod, rather than needing an entry for each host on the entire network
- similar hierarchical concept as IP/layer 3
What are the advantages of using a Jellyfish topology over a traditional hierarchical data center topology?
- Network Load Balancing
- Higher Capacity
- Shorter Paths
- Incremental Expansion
How does NETWORK LOAD BALANCING in a Jellyfish topology provide an advantage?
Network Load Balancing – prevents bottleneck links and heavily loaded aggregation or core switches
How does the HIGHER CAPACITY in a Jellyfish topology provide an advantage?
Higher capacity – since the network is balanced, more hosts can reasonably be hosted on a network with the same number of switches
How do the SHORTER PATHS in a Jellyfish topology provide an advantage?
Shorter paths – shorter average number of hops between any two hosts results in faster network performance
How does the INCREMENTAL EXPANSION in a Jellyfish topology provide an advantage?
Incremental expansion – allows adding switches to the network without reconfiguring the existing network infrastructure or adding additional “higher-level” switches
What are the drawbacks or problems with using a Jellyfish topology?
- Does not handle heterogeneous switch devices well
* Long cable runs between random switch pairs may be necessary, but are inconvenient and difficult to install
Briefly describe the functions of the logically centralized Fabric Manager used in PortLand.
- The Fabric Manager is primarily responsible for maintaining network configuration soft state.
- Using this soft state, the Fabric Manager performs ARP resolution, provides multicast capability to the network, and achieves fault tolerance goals.
Where does the Fabric Manager used in PortLand reside?
- The Fabric Manager is a user process, running on a dedicated machine.
- This machine may be located on the network itself, or it can reside on a separate control network.
What are the four components of a PMAC in a PortLand network, and what does each component encode?
This encoding consists of four components in the format:
pod.position.port.vmid
Explain how PMAC (Pseudo MAC) addresses are generated for end hosts in a PortLand network.
A PMAC encodes the position of an end host in a fat-tree network.
What does the POD component of a PMAC address encode?
The pod (first) component encodes the pod number the end host and the edge switch reside in.
What does the POSITION component of a PMAC address encode?
The position component (second) encodes the end
host’s position in the pod.
What does the PORT component of a PMAC address encode?
The port component encodes the switch’s physical port number the end host is attached to.
What does the VMID component of a PMAC address encode?
- The vmid component encodes a unique ID for each virtual machine that is present on the end host.
- The edge switch maintains a mapping for each VM, which uses its own AMAC (actual MAC) address.
- This permits multiplexing of virtual hosts resident on a single physical host.
How does PMAC design improve forwarding table sizes on large scale data center networks?
- The use of PMACs greatly simplify layer 2 forwarding due to their hierarchical nature.
- Switches no longer need a forwarding table entry per virtual host.
- A single forwarding table entry can be used to aggregate hosts, enabling forwarding behavior that exploits longest prefix match.
Use Big O notation to describe the switch state size when using AMACs.
O(n)
- n is the number of virtual hosts in the data center
Use Big O notation to describe the switch state size when using PMACs.
O(k)
- k is the number of ports on switches used to construct the fat tree network
Describe at a high level how a data center could generate a Jellyfish topology for their specific network.
- an approximation algorithm is used to generate a RRG (Random Regular Graph)
- The result is a blueprint for the Jellyfish topology that can be used to physically cable the switches and servers
What values are needed as input in order to generate a Jellyfish topology?
1) N = num of racks/switches
2) k = num of ports per switch
3) r = num of ports used to connect to other switches
Describe at a high level how a Jellyfish topology can be incrementally expanded.
- To incrementally add a new server rack, it is not necessary to generate a new RRG with N+1, k, and r
- we can add the new rack by iteratively selecting connections between other ToR switches and replacing that connection with two new connections, each to the new switch
- This maintains the previous connectivity of the topology, and also consumes two of the r ports on the new ToR switch dedicated to connecting to other ToR switches
- This process is repeated until one or zero or the r ports remain
Can we expect an incrementally expanded Jellyfish topology to be uniformly random after an incremental expansion?
- after expansion, the new topology CANNOT be expected to be
uniformly random, as it would be if a new RRG was created and the entire data center re-cabled appropriately
What kinds of attacks can BGPSec successfully protect against?
● A BGP message could be sent to a router by some host that is not the router’s legitimate neighbor
● An AS could lie about being the origin of a particular subnet
● An AS could lie about the AS-path to a particular subnet
Scenario: A BGP message could be sent to a router by some host that is not the router’s legitimate neighbor.
Other than BGPSec, how might this attack be prevented?
Although BGPSec provides session authentication, this kind of attack can also be prevented without BGPSec by using the “TTL Hack”
Scenario: An AS could lie about being the origin of a particular subnet.
How might BGPSec prevent this type of attack?
BGPSec prevents this by providing certificates that sign the origin claim
Scenario: An AS could lie about the AS-path to a particular subnet.
How might BGPSec prevent this type of attack?
BGPSec prevents this by providing a chain of signed paths, each partial path in the chain being signed by the AS that advertised that part of the path.
How does an attacker who performs BGP hijacking prevent being detected by traceroute?
- When an attacker performs a BGP hijack it leaves its own AS out of the path.
- It can ensure that even traceroute cannot discover it by simply not decrementing the TTL field on the traceroute when it passes through the attacking AS.
- To traceroute, it then looks like that AS isn’t actually there.
How can DNS be manipulated (i.e., attacked) to allow someone to become a “man-in-the-middle”?
There are several ways this could happen, but the most common is DNS poisoning.
Explain DNS poisoning as it might be used in a “man-in-the-middle” attack.
- attacker SPAMs DNS server with bad mappings
- eventually one matches and DNS accepts and caches is
- DNS responds to future requests with the new bad mapping
- the attacker collects traffic and/or spoofs the legitimate server
How can ARP be used to mount a “man-in-the-middle” attack against a host on the same local (Layer 2) network as the attacker?
ARP Poisoning: An attacker could send gratuitous ARP responses for a particular IP address to hosts on its local network so that those hosts send messages to the attacker’s MAC instead
How is ARP poisoning different from DNS poisoning?
- ARP poisoning works similarly to DNS poisoning, except that there is not ID value that the attacker needs to guess
- A host will accept an ARP response even if no ARP request for that IP→MAC mapping was ever made – such a response is referred to as a “gratuitous ARP response”
- The main drawback compared to DNS poisoning is that the attacker must be on the same local network as the target
Why are WiFi networks particularly vulnerable to ARP poisoning MITM attacks?
- The main drawback compared to DNS poisoning is that the attacker must be on the same local network as the target
- Users connected to the same “public hotspot” are all on the same local network
How do SYN cookies work?
- The server does not allocate resources for the TCP connection immediately upon receiving a SYN packet, but instead waits for the ACK to allocate those resources.
- the server’s SYN/ACK response to the SYN packet contains a special “SYN cookie” that it uses as the connection’s initial sequence number.
- When the server gets an ACK, it can calculate whether or not the sequence number in that ACK could have been legitimately generated as a SYN cookie.
How do SYN cookies prevent resource exhaustion type denial of service (DoS) attacks on a server
If the ACK sequence number (SYN cookie) checks out, then the server knows
1) that the client has engaged in the entire 3-way handshake, rather than sending spurious ACKs, and
2) the client’s IP address given by the IP headers is it’s legitimate address, because otherwise it wouldn’t have received the SYNACK that contains the SYN cookie.
If you are trying to detect TCP SYN flooding attacks and want to raise an alarm when there are 1048576 (i.e., 1024^2) attack packets using a /12 subnet as the telescope, how many backscatter packets do you need to observe to detect the attack?
The /12 subnet contains 2^(32-12) = 2^20 = 1048676.
So 1048576/1048576 = 1 packet to observe
Describe how BGP can be manipulated.
BGP does not validate information in routing announcements, so a manipulator can announce any path they want and claim ownership of a victim’s IP prefix.
Describe how Origin Authentication can be manipulated.
Origin Authentication uses a trusted database for verification so an AS can’t claim ownership of a victim’s IP prefix, but they can still announce a path that ends at the proper AS, although the path does not physically exist.
Describe how soBGP can be manipulated.
soBGP uses origin authentication and a trusted database to guarantee that any path physically exists, but the manipulator can advertise a path that exists but is not actually available.
Describe how S-BGP can be manipulated.
S-BGP uses path verification, which limits a single manipulator to announcing available paths, but they could announce a shorter, more expensive, provider path while actually forwarding traffic on a cheaper, longer customer path.
Describe how Data Plan Verification can be manipulated.
Data plane verification prevents an AS from announcing a path and forwarding on another, so the manipulator must actually forward traffic on the path he is announcing.
Describe how Defensive Filtering can be manipulated.
- Defensive filtering polices the BGP announcements made by stubs.
- With the model in the paper, each provider keeps a prefix list of the IP prefixes owned by its direct customers that are stubs.
- If a stub announces a path to any prefix it doesn’t own, then it is dropped. In this way, if all providers correctly implement this it eliminated attacks by stubs.
The “Shortest-Path Export-All” strategy was proven not to be optimal for the manipulator. Describe the 3 counterexamples that were discussed.
1) Announcing longer paths can be better than announcing shorter ones
2) Announcing to fewer neighbors can be better than announcing to more.
3) The identity of the ASes on the announce path matters since it can be used to strategically trigger BGP loop detection.
Describe how the follow counterexample proves that the “Shortest-Path Export-All” strategy is not optimal.
Announcing longer paths can be better than announcing shorter ones.
- advertising the shortest path will only pick up traffic from one small
provider - Announcing a longer path to the large provider, will attract more traffic overall as the large provider will prefer this path over the shorter, peer path as it will be cheaper.
- It is better for the manipulator to attract traffic from larger AS.
- This strategy will work against any secure routing protocol, except when launched by stubs in a network with defensive filtering, because it is only implementing a different export policy than usually used.
Describe how the follow counterexample proves that the “Shortest-Path Export-All” strategy is not optimal.
Announcing to fewer neighbors can be better than announcing to more.
- In this strategy, by not exporting to certain Tier providers, customer paths to the victim can be eliminated and influential ASes will be forced to choose shorter peer paths over a longer customer path because the customer path was not made known to them.
- This will work against any secure protocol as it is just using a clever export policy to manipulate traffic.
Describe how the follow counterexample proves that the “Shortest-Path Export-All” strategy is not optimal.
The identity of the ASes on the announce path matters since it can be used to strategically trigger BGP loop detection.
- With false loop prefix hijack, the manipulator claims an innocent AS originates the prefix to his provider. But when the false loop is announced, BGP loop detection will cause the AS to reject the path, removing the customer path from the network.
- This will force large ISPs to choose shorter peer paths.
- Unlike the first two attacks, this one will only work against BGP, origin authentication or soBGP because it involves false advertising of the path announced by an innocent AS.
Describe the various rewiring activities that are unique to malicious ASes and
- Malicious ASes change their providers often to avoid being detected or to avoid the negative consequences of their customers activities.
- they are also known to connect to Providers with lax security policies and / or long response times to abuse complaints.
- Malicious ASes have longer periods of downtime, due to depeering from their neighboring ASes and detection avoidance strategies they employ.
How does ASWatch captures various rewiring activities.
- ASWatch captures these activities by taking snapshots of AS relationships periodically and observing the changes in relationships over time.
- These activities are then used to feed the reputation engine that identifies malicious ASes.
What is the motivation for malicious ASes to advertise fragmented BGP prefixes rather than their entire IP address space?
- Malicious ASes conduct a wide variety of abusive actions, many of which can be countered with simple blacklisting.
- Examples of this would be DoS, spamming, and phishing.
- If a malicious AS consistently advertises its entire IP address space, it runs a higher risk of having the entire IP space blacklisted when these activities are detected.
- Small fragments of advertised space allow malicious activities to continue their activities in a fresh IP space fragment when they are blacklisted.
Why would an attacker mounting a crossfire attack choose to dynamically change the set of target links during an attack (known as a rolling attack)?
- Rolling attacks are implemented by an attacker to indefinitely continue an attack on a target area.
- Continuing to flood the same set of target links will ultimately have negative effects on the attack when router failure detection mechanisms are tripped.
- Rolling attacks will make the crossfire attack even harder to detect by changing the attack vector without changing the overall target area.
Briefly describe the 3 categories of attackers against DNS.
1) Off-path adversaries
2) On-path adversaries
3) In-path adversaries
Off-Path Adversaries
- Off-path adversaries can’t observe DNS queries and responses.
- They will trigger specific DNS lookups, but must generate numerous packets in hopes of matching the request the resolver will accept as they must guess the transaction ID and other entropy.
On-Path Adversaries
- On-path adversaries can passively observe the actual lookups requested by a resolver and can directly forge DNS replies.
- As long as the resolver receives the forged reply before the legitimate one, it will accept the forged reply.
In-Path Adversaries
- In-path adversaries can both block and modify packets and can block the legitimate packet.
- Hold-On can’t help here as the legitimate packets can be blocked.
How does the Hold-On algorithm work?
NOTE: This card needs to be broken into smaller questions/answers.
- Because the legitimate reply cannot be blocked by on-path adversaries, the “Hold-On” period can be used to wait for the legitimate reply to arrive.
- The stub resolver/forwarded first learns the expected RTT and TTL associated with legitimate traffic to remote recursive resolver.
- Then after issuing a DNS query, it starts its Hold-On timer
- If a DNSSEC-protected response is expected, local signature validation is done for each reply and returns the first fully validated reply to the client or a DNSSEC error if the Hold-On timer expires before one is validated.
- If there is no DNSSEC, the resolver compares the timing of the reply to the expected RTT and compares the TTL field in the header to the expected TTL.
- If a reply is validated it will return this reply to the client, but if there are mismatches, it ignores the response and continues to wait.
- If the timer expires, it will send the last reply received that was not validated.
Describe the differences in the terms network virtualization and software defined networking (SDN).
- Network Virtualization refers to abstracting the network away from the physical equipment, which can be accomplished without SDN
- SDN refers separating the control plane from the data plane by using a centralized logic controller. SDN does not necessarily imply Network Virtualization is employed.
How can we use network virtualization to evaluate and test SDNs?
- Network virtualization software like Mininet allows SDNs to be tested in a virtual environment by using logical processes to emulate physical network devices, including OpenFlow capable
switches. - By emulating the physical equipment, control plane logic for an SDN can be tested without the need for physical equipment and complicated data collection methods.
