Test 3

Question 1

Why is traditional network configuration hard? (4)

Answer 1

1) Defining correctness is hard.
2) Interactions between protocols is unpredictable.
3) Operators make mistakes.
4) Configuration is distributed across many devices.

Question 2

What does SDN provide to operators? (3)

Answer 2

1) Network-wide views of topology and traffic.
2) Ability to satisfy network-level objectives of load balance and security
3) Gives operator direct control of data plane

Question 3

How does SDN change the role of routers?

Answer 3

Routers no longer need to compute routes. The routing can be logically centralized.

Question 4

What are the two functions of a network and what do they do?

Answer 4

1) The Data Plane forwards packets to the destination.

2) The Control Plane computes the routing table. It is the logical that controls forwarding behavior.

Question 5

How do the two functions of a network differ on traditional networks versus SDNs?

Answer 5

Traditionally, control and data planes are distributed across all of the routers. On SDNs, the control plane is
run on a logically central controller that controls all of the network.

Question 6

What are the three main advantages of SDNs?

Answer 6

1) Easier to coordinate behavior
2) Behavior is easier to evolve / faster innovation
3) Behavior is easier to reason about and debug. You can apply typical CS techniques.

Question 7

How does the infrastructure of the Control Plane and Data Plane differ on SDNs?

Answer 7

The control plane is written in a high level language that sends “control commands,” while the data plane is programmable hardware.

Question 8

What four opportunities do SDN and plane separation provide?

Answer 8

1) Data centers - facilitates VM migration to adapt to fluctuating network demands.
2) Routing - more control over decision logic.
3) Enterprise networks - can write security applications that manage network access control.
4) Research - can virtualize networks so research networks and experimental protocols can coexist with production networking applications

Question 9

What problem does SDN solve in data centers and how?

Answer 9

One cluster has many servers which have many VMs. These VMs need to be migrated across servers due to load. SDN allows for the switch states to be programmed easily from a central database to allow for this.

Question 10

What are three challenges of SDN?

Answer 10

1) Scalability - control element may be responsible for hundreds to thousands of switches
2) Consistency - we want to replicate the controller, but we want to ensure the same view on all.
3) Security/Robustness - we want to make sure that the network functions correctly if a controller fails or is compromised.

Question 11

What is the main advantage and disadvantage of Pox vs NOX?

Answer 11

Pox is written is Python, so control programs are easier to write and understand versus NOX’s C++. However, Python is slower.

Question 12

What are the advantages/disadvantages of Ryu?

Answer 12

Supports later versions of OpenFlow, but it is written in Python and therefore slower.

Question 13

What are the advantages/disadvantages of Floodlight?

Answer 13

Written in Java, fast, good documentation, REST API, but hard to learn.

Question 14

What is the difference between a hub vs a switch?

Answer 14

A hub maintains no state about where packets should be forwarded and therefore forwards to every output port. A switch learns a forwarding table.

Question 15

How does caching work in SDN?

Answer 15

1) The packets reach the controller if no flow table entry at switch.
2) When controller decides on action, installs entry on switch.
3) Decision is cached on switch.

Question 16

What are the two consistency problems that arise with SDN?

Answer 16

1) Packet-level: updates may disrupt packets along an end-to-end path when switches receive updates at different times.
2) Flow-level: packets from the same flow may be disrupted

Question 17

Why can’t OpenFlow deal with the problem of “Show all web server traffic except source 1.2.3.4” and what is the solution?

Answer 17

OpenFlow only uses simple match-action rules which do not allow you to express exceptions. The solution is to use “predicates.” These can be translated via a runtime system into low-level OpenFlow rules.

Question 18

What is the problem dealing with the number of rules, and what is the solution?

Answer 18

There are too many possible rules, as every rule could apply to every IP address, port, etc. The solution is to dynamically unfold the rules as the traffic arrives.

Question 19

What is the problem of “extra unexpected events,” and what is the solution?

Answer 19

The first packet of a flow gets send to the controller, and the controller installs a rule on the switches to deal with the packet. But if this doesn’t happen quickly enough, many packets of the flow will be sent to the controller.

The solution is to specify a Limit(1) rule to suppress all but the first packet to the controller.

Question 20

What is the two-phase commit and how does it work?

Answer 20

It’s a solution to writing network configuration consistently. It ensures that packets are either subjected to the old configuration on all switches or the new configuration on all switches.

Packets are tagged with the network configuration when they enter. Switches maintain copies of both configurations and use the updated one when no more old configuration packets are being forwarded.

Question 21

What is network virtualization?

Answer 21

It is an abstraction of a physical network where multiple “logical networks” can exist on a shared physical substrate.
It is analogous to multiple virtual machines running on shared hardware.

Question 22

Why is network virtualization used?

Answer 22

It allowed for easier network evolution by letting multiple architectures exist in parallel.
It has also grown in practice due to multi-tenant data centers.

Question 23

What is the difference between SDN and network virtualization?

Answer 23

Network virtualization can use SDN as a tool. Network visualization separates the logical network from the underlying physical network, while SDN separates the data plane of the network from the control plane.

Question 24

How are nodes created in network virtualization?

Answer 24

A hypervisor slices the underlying hardware to provide the illusion of multiple guest nodes.

Question 25

How do edges between nodes work in network virtualization?

Answer 25

Because nodes may be separated by an IP hop, ethernet packets are encapsulated in an IP packet and decapsulated at the destination. The physical hosts can host multiple virtual hosts, and therefore need a virtual switch to link them together.

Question 26

What are the three problems in programming SDNs (OpenFlow)?

Answer 26

1) Low level of abstraction
2) Controller only sees events that switches do not know how to handle
3) Race conditions if switch-level rules not installed properly

Question 27

What is the “northbound” API?

Answer 27

It is an API that allows for higher level abstraction when defining network behavior. This would allow for applications to be written on top of OpenFlow, but there is no current standard.

Question 28

What is Frenetic?

Answer 28

A programming language that sits on top of the northbound API that uses a SQL-like query language.

Question 29

What is a potential problem in writing multiple high-level network policies, and what is a solution?

Answer 29

Different modules can be written (firewall, load-balancer, etc.) but they all affect the same traffic. It needs to specified what can be done in parallel, or in what order the rules need to be applied sequentially.

Question 30

What is traffic engineering?

Answer 30

Process of reconfiguring the network in response to changing traffic loads.

Question 31

How can intradomain traffic engineering be done?

Answer 31

Tuning link weights based on capacity, delay, or some network-wide optimization goal.

Question 32

What are the three steps in traffic engineering?

Answer 32

Measure, model, and control. Traffic is measured (topology and traffic). This is fed to a what-if model that predicts what will happen under various changes. The appropriate changes are applied to control the link weights.

Question 33

What are the three goals of interdomain traffic engineering?

Answer 33

1) Predictability
2) Limit influence of neighbors
3) Reduce overhead of routing changes

Question 34

How can interdomain IE affect predictability and how can it be prevented?

Answer 34

By changing a configuration of an outgoing link, you can change the routing decisions of other AS’s, thus changing the entire traffic matrix. Prevent this by only making changes that aren’t globally visible.

Question 35

What is multipath routing?

Answer 35

It is when an operator specifies multiple paths in advance. For example, an operator could adjust link weights to make two paths have equal length and adjust the traffic fractions to optimize congestion.

Question 36

What are the three main characteristics of data center networks?

Answer 36

1) Multi-tenancy
2) Elastic resources
3) Flexible service management - workload movement, migration enabled by virtualization

Question 37

What are the benefits and challenges of modern data center toplogies?

Answer 37

Data center core layers are now layer 2 instead of layer 3.

Benefits:

1) Easier migration due to no need for new IP address
2) Easier load balance

Challenges:

1) Harder to scale since all servers are on flat topology and forwarding tables get large
2) Single points of failure
3) Oversubscription of links at top of hierarchy

Question 38

How do pods help with the data center scaling problem?

Answer 38

Instead of maintaining forwarding table entries for every MAC address, servers get assigned pseudo-MAC address that corresponds to their pod.

Question 39

What are the goals of valiant load balancing and how does it achieve them?

Answer 39

Goals:

1) Spread traffic
2) Ensure traffic load is balanced independent of the destination

It uses an indirection level of switches. Nodes pick one at random, and the switches then forward the traffic to the ultimate destination.

Question 40

What are the goals of jellyfish?

Answer 40

1) High throughput

2) Incremental expandability

Question 41

How is a jellyfish random graph constructed?

Answer 41

Every top-of-rack (ToR) switch i has k_i total ports, of which it uses r_i to connect to other ToR switches at random and the remaining k_i - r_i to connect to servers.

Question 42

What are the five reasons that the internet is insecure?

Answer 42

1) Designed for simplicity
2) “On by default”
3) Hosts are insecure
4) Attacks can look like normal traffic
5) Federated design obstructs cooperation

Question 43

What are the four components of security?

Answer 43

1) Availability: ability to use a resource
2) Confidentiality: concealing information
3) Authenticity: assures origin of information
4) Integrity: prevent unauthorized changes

Question 44

How could an attack on confidentiality occur?

Answer 44

An attacker could place their network card in promiscuous mode and use a packet sniffer to intercept packets not meant for them.

Question 45

How could an attack on authenticity occur?

Answer 45

At attacker could intercept messages meant for B from A and suppress the original message. They could alter the message and send it to be while impersonating A. this is a “man in the middle” attack that also attacks integrity.

Question 46

What are the three types of control plane authentication?

Answer 46

1) Session: protects point-to-point communication between routers
2) Path: protects AS path
3) Origin: protects origin AS in AS path, and ensures the origin AS that advertises prefix owns the prefix

Question 47

What type of control plane authentication attack is route hijacking?

Answer 47

It’s an attack on origin authentication because the AS advertising the prefix doesn’t own the prefix.

Question 48

What is AS path poisoning?

Answer 48

It’s where the man-in-the-middle advertises an AS path that includes AS’s that it doesn’t want to link back to itself. Those AS’s won’t update because they think they’ve already seen it.

Question 49

How is session authentication done?

Answer 49

The TCP session is authenticated using TCP’s MD5 option with an agreed secret key. Or they set TTL values to 255 and drop packets with TTL values less than 254.

Question 50

How is path authentication done?

Answer 50

ASs advertise routes along with a “path attestation” which contains a signed route signed by its secret key. This path attestation includes the AS that it’s sending it to, along with previous attestations that it got.

This prevents path hijacks, shortenings, and modifications, but it does not prevent path suppression.

Question 51

What are the four reasons that DNS is so vulnerable?

Answer 51

1) Resolvers trust responses
2) Responses contain info unrelated to query
3) No authentication is required
4) DNS is done over UDP (connectionless)

Question 52

What is DNS cache poisoning?

Answer 52

The attacker anticipates a DNS query from a stub resolver to a recursive resolver. Before the start of authority (SOA) can reply, the attacker floods the cache with fake replies in hopes that it will get cached.

Question 53

What is the Kaminsky attack?

Answer 53

The attacker sends the DNS queries and then sends NS responses that tell the cache that it owns the whole domain.

Question 54

What are the three ways to defend against DNS cache poisoning?

Answer 54

1) ID with randomization
2) Source port randomization
3) “0x20” encoding - using specific capitalization of domain names that is unknown to attacker, adds additional entropy

Question 55

What is the DNS amplification attack?

Answer 55

An attacker sends a small DNS query and spoofs the source. The DNS server responds with a much-larger response. If many attackers coordinate, it results in a DOS attack.

Question 56

What is the DNSSEC protocol?

Answer 56

It’s an authentication protocol for DNS. When the resolver issues a query, it gets a signed response that includes the location of the next server in the hierarchy along with that server’s private key which it can use to check the next server’s response.

Question 57

What is the difference between a virus and a worm?

Answer 57

A virus is an infection of an existing program that results in modified behavior. It typically requires user action in order to spread.
A worm is code that propagates/replicates across the network, and it does so automatically.

Question 58

What are the four types of virus?

Answer 58

1) Parasitic: infects executable files
2) Memory resident: infects running programs
3) Boot-sector: spreads when system is booted
4) Polymorphic: encrypts parts of virus program using randomly generated key

Question 59

What is the lifecycle of a worm?

Answer 59

1) Discover/”scan” for vulnerable hosts
2) Infect vulnerable machines via remote exploit
3) Remain undetectable

Question 60

How can worms increase their initial compromise rate?

Answer 60

1) Hit list of known vulnerable systems

2) Permutation list to ensure different copies of worms try different IP addresses.

Question 61

What are three ways to defend against DOS attacks?

Answer 61

1) Ingress filtering
2) uRPF checks
3) Syn cookies (TCP)

Question 62

How do TCP syn cookies work?

Answer 62

The server picks a sequence number and checks the clients response against this. This way it doesn’t have to keep a whole TCP buffer.

Question 63

How does “Backscatter” work?

Answer 63

Backscatter infers DOS activity by using a part of the network to monitor backscatter replies. If it’s assumed that the attacker is spoofing IP’s at random, then you can compare the backscatter traffic against what you would expect statistically in an attack.

The total attack rate is (Total IP addess space / Monitor IP address space) * observed attack rate