Session 1: IP Supporting Protocols & Tunneling

Question 1

What is the Address Resolution Protocol (ARP) responsible for?

Answer 1

• ARP maintains a table of IP to link layer address bindings on each
  node
• Host machines can answer with their link layer adress (when neccesary layer 2 MAC is used)
• If the request respons matches, addresses will be resolved by the protocol

Question 2

Is ARP a safe protocol?

Answer 2

No the protocol does not allow for the MAC address to serve as an autenthicator. Therfore the connection can be easily spoofed.

Question 3

How does ICMP work?

Answer 3

• I ICMP is the simplest protocol layered on top of IP.
• Messages consist of a one-byte type, a one-byte code, a simple
  checksum, and an optional payload
• Warning! ICMP signal must not be generated as answers to any requests. This is to prevent infinite loops and network flooding.

Question 4

Name some important ICMP sub-protocols

Answer 4

Type 0/8 Echo (“ping”) reply/response
Type 3 Unreachable host or network (codes identify cause of
unreachability
Type 5 Redirection (code specifies if redirection is for host or
network)
Type 4 Source quench (destination asks for traffic to slow down —
buffer overwhelmed) can be used as a simple dos attack
Type 11 Timeout error (either on pass-through or defragmentation)
Type 13/14 Timestamp request/response
Type 33/34 IPv6 where-are-you/I-am-here
Type 35/36 Mobile registration request/reply
Type 37/38 Domain name request/reply

Question 5

How does the Internet Group Management Protocol

(IGMP) work?

Answer 5

• Each network has one querier, and all routers begin as queriers
• Queriers elect a router among themselves (lowest numerical IP
  address)
• Hosts then issue membership queries and reports (for multicast
  group addresses) via special IP address 224.0.0.1. The router frequently sends out IGMP queries to ask the nodes if they need a particular multicast stream. If a given node needs such a stream, it will respond to the query with a IGMP report detailing the stream it wishes to listen to.

Question 6

What are the 3 possible address translation protocols?

Answer 6

We distinguish between NAT (network address translation), PAT (port
address translation, and their combination NAPT
I A NAT/PAT/NAPT gateway must keep track of outbound packets and
will assign (dynamically or statically) addresses and ports (or
combinations) from its pool

Question 7

How does “Hole punching” work?

Answer 7

• Hole punching techniques uses a temporary third party to avoid detection. It is typically used for C2 (Command and Control) for malicious botnets, or other malicious software running on infected hosts programmed to “call home” once in a while.
• The temporary server must function as a middle man for communication between the end points.
• By linking the two “outbound” connections via the server, one can avoid detection by network monitoring tools such as firewalls since the destination IP is random and usually without a bad reputation.

Question 8

Name common tunneling protocols

Answer 8

Common protocols include:
GRE (Generic Routing Encapsulation),
PPTP(point-to-point tunneling protocol), and its replacement L2TP (Layer 2
Tunneling Protocol)
- Other tunneling options include TLS and SSH encapsulation, but they are used mainly for security