Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

CISC5725 Network Administration Midterm, March 2012 Total points

advertisement 
CISC5725 Network Administration
Midterm, March 2012
Total points: 80
1. [10 pts] True or False, please provide a short explanation to your answer.
a. Each host in the Internet has an IP address.
True. Internet uses IP protocol which mainly uses the destination’s IP address to route
packets. For a host to be able to receive packets, it therefore needs an IP address.
Actually a more accurate way to put it is each network interface card has an IP
address, as some hosts (also serving as router, gateways) have multiple interface cards
each with its own IP addresses.
b. The Internet networking layer, IP, provides best effort service.
True. There is no guarantee that a packet will be delivered at its destination within a
specified amount of time or be delivered at all. As IP protocol does not reserve any
resource (such as link bandwidth, buffer space at router, end-to-end path), it might
encounter congested link, being dropped at router due to buffer overflow, or wrong
routing table configuration.
2. [10 pts] Suppose two hosts, A and B, that are 14500 meters apart and are connected by a
direct link of R=1.5 Mbps. Suppose the propagation speed over the link is 2.5 x 108
meters/second. Consider sending a file of 800,000 bits from Host A to Host B.
a. How long does it take to send the file, assuming it is sent continuously?
Sol: The time from node A starts to send the file to the time node B finishes
receiving the file can be calculated as follows:
T_trans + T_prop
800000
14500
=
+
= 0.5333333+ 0.000058=0.533913s
6
1.5 * 10
2.5 * 10 8
b. Suppose now the file is broken up into 20 packets with each packet containing
40,000 bits. Suppose that each packet is acknowledged by the receiver and the
transmission time of an acknowledgement packet is negligible. Finally, assume
that the sender cannot send a packet until the preceding one is acknowledged.
How long does it to take to send the file?
Sol: Suppose the transmission of the file finishes when the last packet arrives at the
destination. Each packet except the last one actually takes
T_trans + 2*Tp to transmit, as the next packet can be transmitted until B receives
the previous packet, and the Acknowledge propagates back to A. The last packet
takes Tt + Tp to transmit. So the total is:
19 (Tt+2*Tp)+Tt+Tp
=20 Tt + 39Tp
40000
14500
=20*
+39*
=0.533333 + 39*0.000058=0.53559s
6
1.5 * 10
2.5 * 10 8
c. Compare (a) and (b).
Sol: The difference between the times to transmit the file is small, 0.001682 second.
This is mainly due to the fact that the main component of the delay is transmission
delay, which does not change in both cases.
3. [15 pts] Conceptual questions about Internet protocol stack.
a. What are the five layers in the Internet protocol stack? What are the principal
responsibilities of each of these layers?
Sol: omitted.
b. What’s an IP datagram?
Sol: When a transport layer segment is passed to IP layer to transmit, IP adds header to
the segment to store information such as the IP address of the source and destination, a
TTL field, a protocol number, etc.
c. Which layers in the Internet protocol stack does a router process? How about a
link-layer switch? How about a host?
Sol: Typically, a router processes physical layer, link layer, and networking layer (i.e.,
IP protocol). It’s main functionalities is IP routing and forwarding. A link-layer
switch only processes physical layer and link layer, and it’s main function is
“switching” packets among nodes within same network. Hosts on the Internet process
all five layers, from physical layer all the way to application layer, in order to provide
support network applications (such as Web, ftp, …).
4. [10 pts] Consider a subnet with prefix (or network address) 128.119.40.128/26. Give an
example of one IP address (in the form xxx.xxx.xxx.xxx) that can be assigned to this
network. Suppose an ISP owns the block of addresses of the form 128.119.40.64/25, and
it wants to create four subnets from this block, with each block having the same number
of IP addresses. What the network addresses for the four subnets?
Sol: The range of IP address in this subnet contains 26 = 64 address in the following range:
128.119.40.128 – 128.119.40.191.
Note that the first (with host part all 0’s) and the last (with host part all 1’s) are not assigned to
host. One example of IP address in this network is 128.119.40.130.
This is typo (from the original source) here. The address block should be 128.119.40.54/26. (It’s
impossible to have an IP address block of 128.119.40.64/25, as the host part of this block of
address is not all zeros.) To create four subnets with same number of IP addresses for each one,
we need to use two bits from the host part to be subnet field, and get four subnets with the
following prefixes:
128.119.40.64/28
128.119.40.80/28
128.119.40.96/28
128.119.40.112/28
5. [15 pts] We learnt that the protocol number field of IP header and the port numbers in the
TCP or UDP header are used to demultiplex packets arriving to a host to different
processes running in the network.
a. Suppose a process in Host C has a UDP socket with port number 6789. Suppose
host A and Host B each send a UDP segment to Host C with destination port
number 6789. Will both of these segments be directed to the same socket at Host
C? If so, how will the process at Host C know that these two segments originated
from two different hosts?
Sol: Both segments will be delivered to the same socket at host C, as UDP socket is
identified by IP address and port number. Host C can find out the origins of the
segment from the source IP address in the IP header.
b. In a home network that connects to Internet through a NAT-enabled router,
multiple hosts within the network share the same external IP address. Describe
using the following example settings, how packets arriving at the NAT-router are
demultiplexed and forwarded to hosts in the network. In particular, provide the
six corresponding entries in the NAT translation table.
 Assuming the external IP addressed assigned by ISP to the NAT router is
24.34.112.235
 Assuming the network address of the home network is 192.168.1/24, and
there are three hosts in the network
 Suppose each host has two ongoing TCP connections, all to port 80 at host
128.119.40.86.
Sol: The NAT-enabled router keeps a NAT translation table. For every packet that is
destined to the outside network, it replaces the source IP address and source port number
with the WAN side IP address (the IP address of the router) and a port number. Similarly,
for a packet coming into the network, it replaces the destination IP address and port
number with the LAN side IP address and port number.
Suppose the two TCP connections at each hosts are assigned port number 3345 and 3346
on 192.168.1.1, the NAT router finds the first unused port number (4000, 4001) and
assign them for this two TCP connections, as the first two lines in the table shows.
WAN Side
24.34.112.235, 4000
24.34.112.235, 4001
24.34.112.235, 4002
24.34.112.235, 4003
24.34.112.235, 4004
24.34.112.235, 4005
LAN Side
192.168.1.1, 3345
192.168.1.1, 3346
192.168.1.2, 3445
192.168.1.2, 3446
192.168.1.3, 3545
192.168.1.3, 3546
6. [10 pts] Use dig to explore the hierarchy of DNS servers. Recall that a DNS server higher
in the hierarchy delegates a DNS query to a DNS server lower in the hierarchy, by
sending back to the DNS client the name of the lower-level DNS server. Read the man
page for dig, or read tutorial or article online about dig, and then answer the following
questions:
a. Starting with a root DNS server (with host name [a-m].root-servers.net, i.e.,
a.root-servers.net, b.root-servers.net, …., m.root-servers.net), initiate a sequence
of equerries for the IP address for www.cis.fordham.edu using dig. Show the list
of the names of DNS servers in the delegation chain in answering your query.
Sol: The list of DNS servers in the delegation chain that answers the query is:
a.root-servers.net => c.edu-servers.net => it-dns01.fordham.edu
(150.108.27.20).
The dig commands used and output excerpts are as follows:
1) dig @a.root-servers.net www.cis.fordham.edu
which returns the following servers for .edu doman:
edu.
edu.
edu.
edu.
edu.
edu.
172800
172800
172800
172800
172800
172800
IN
IN
IN
IN
IN
IN
NS
NS
NS
NS
NS
NS
;; ADDITIONAL SECTION:
a.edu-servers.net.
172800 IN
c.edu-servers.net.
172800 IN
d.edu-servers.net.
172800 IN
f.edu-servers.net.
172800 IN
g.edu-servers.net.
172800 IN
g.edu-servers.net.
172800 IN
l.edu-servers.net.
172800 IN
a.edu-servers.net.
c.edu-servers.net.
d.edu-servers.net.
f.edu-servers.net.
g.edu-servers.net.
l.edu-servers.net.
A
192.5.6.30
A
192.26.92.30
A
192.31.80.30
A
192.35.51.30
AAAA 2001:503:cc2c::2:36
A
192.42.93.30
A
192.41.162.30
2) dig @c.edu-servers.net www.cis.fordham.edu
;; AUTHORITY SECTION:
fordham.edu.
172800 IN
fordham.edu.
172800 IN
;; ADDITIONAL SECTION:
it-dns01.fordham.edu. 172800 IN
it-dns02.fordham.edu. 172800 IN
NS
NS
it-dns01.fordham.edu.
it-dns02.fordham.edu.
A
A
150.108.27.20
150.108.28.20
3) dig @150.108.27.20 www.cis.fordham.edu
;; QUESTION SECTION:
;www.cis.fordham.edu.
IN
A
;; ANSWER SECTION:
www.cis.fordham.edu. 86400 IN
CNAME trill.cis.fordham.edu.
trill.cis.fordham.edu. 86400 IN
A
150.108.68.29
;; AUTHORITY SECTION:
cis.fordham.edu.
86400 IN
cis.fordham.edu.
86400 IN
NS
NS
;; ADDITIONAL SECTION:
it-dns01.fordham.edu. 600 IN
it-dns02.fordham.edu. 600 IN
A
A
it-dns01.fordham.edu.
it-dns02.fordham.edu.
150.108.27.20
150.108.28.20
b) Repear for www.google.com, and amazon.com.
Simiar to a), the list of DNS servers in the chain for www.google.com is:
a.root-servers.net => a.gtld-servers.net => ns2.google.com. The final
result is:
www.google.com.
www.l.google.com.
www.l.google.com.
www.l.google.com.
www.l.google.com.
www.l.google.com.
www.l.google.com.
604800 IN
300 IN
300 IN
300 IN
300 IN
300 IN
300 IN
CNAME www.l.google.com.
A
173.194.73.103
A
173.194.73.104
A
173.194.73.99
A
173.194.73.106
A
173.194.73.147
A
173.194.73.105
The list of DNS servers for www.amazon.com is:
a.gtld-servers.net => pdns1.ultradns.net => ns-911.amazon.com.
The final result is:
;; ANSWER SECTION:
www.amazon.com.
60
IN
A
72.21.194.1
7. [10pts] Read RFC5321 for SMTP.
a. Would you be able to tell where an email is sent from (i.e., the IP address of the
host where the email was originally sent)? Thunderbird mail client reportedly add
the host that initiates the email in the mail head. Check whether that’s the case for
the mail client you use, if so, find out whether you can disable this.
Sol:
When I sent email from my fordham.edu email account to my storm email account.
On storm, I use command alpine to read email and press h to see all headers of the
email. The related header fields are copied as follows:
Return-Path: <xzhang@fordham.edu>
Received: from FIRE-SMTP02.fire.fordham.edu (fire-smtp02.ds.fordham.edu
[150.108.2.141])
by storm.cis.fordham.edu (8.14.5/8.14.5) with ESMTP id q31E5tcI011070
for <zhang@cis.fordham.edu>; Sun, 1 Apr 2012 10:05:55 -0400
It shows that the email was delivered by SMTP server FIRESMTP02.fire.fordham.edu to storm.cis.fordham.edu.
There is no information about from which host the email is originally sent.
Then I sent an email from storm account to my gmail account. From gmail, I chose
“Show original” from the following drop-down menu to view all email headers:
The following is excerpt from the mail header,
-----------------------------------------------------------------------------Received: from storm.cis.fordham.edu (localhost.localdomain
127.0.0.1])
by storm.cis.fordham.edu (8.14.5/8.14.5) with ESMTP id q31EDu6b011312
for <xlzhangyx@gmail.com>; Sun, 1 Apr 2012 10:13:56 -0400
Received: from localhost (zhang@localhost)
by storm.cis.fordham.edu (8.14.5/8.14.5/Submit) with ESMTP id
q31EDtOe011308
for <xlzhangyx@gmail.com>; Sun, 1 Apr 2012 10:13:56 -0400
The first line shows that the email was sent from the local host (notice that 127.0.0.1
is the loopback interface), i.e., the mail reader (alpine) running on storm submitted
the email to the SMTP server running on the same machine for it to forward the email.
b. Read this article about email headers. From your email account, pick a spam
email that you received recently, examine the headers of the email, and make a
calculated guess about the malicious host that generates this spam email.
Sol: From the headers of the following email, we can tell that the email was sent by
someone from www9.redblueamber.com (from the second line below). The SMTP
server running on storm already performed a reverse DNS lookup using the IP
address of the sender SMTP server, to find its domain name.
Return-Path: <refurbishedcomputers@www9.redblueamber.com>
Received: from www9.redblueamber.com (www9.redblueamber.com [63.141.48.253])
by storm.cis.fordham.edu (8.14.5/8.14.5) with ESMTP id q2THE9uA021542
for <zhang@cis.fordham.edu>; Thu, 29 Mar 2012 13:14:10 -0400
DKIM-Signature: v=1; a=rsa-sha1; q=dns/txt; l=3117; s=selector;
t=1333030087; c=relaxed/simple;
h=From:To:Subject;
d=www9.redblueamber.com;
z=From:=20refurbishedcomputers=20<refurbishedcomputers@www9.redblueamber
.com>
|To:=20<zhang@cis.fordham.edu>
|Subject:=20Refurbished=20computers.=20High=20quality.=20Low=20price.;
bh=AgUz4IGSkzC4CXhi3iB11TOqMpA=;
b=EcJmTuEqHSgddHjwBgtprt/Fvrm2tsVFeEXwumDOn3HsOZWHa3XfHKHuB2zdE
YZq
To: <zhang@cis.fordham.edu>
Date: Thu, 29 Mar 2012 10:08:07 -0800
Message-ID: <f04a4197e3d5dcf1caee8c7d17a87d55@www9.redblueamber.com>
X-www9.redblueamber.com-MsgID:
<f04a4197e3d5dcf1caee8c7d17a87d55@www9.redblueamber.com>
MIME-Version: 1.0
From: refurbishedcomputers <refurbishedcomputers@www9.redblueamber.com>
Subject: Refurbished computers. High quality. Low price.
c. Perform reverse DNS lookup using nslookup or dig, to find out the domain name
associated with the malicious host.
Sol:
I used command whois to find out who owns the above domain name:
whois redblueamber.com
[Querying whois.verisign-grs.com]
[Redirected to whois.enom.com]
[Querying whois.enom.com]
[whois.enom.com]
=-=-=-=
Registration Service Provided By: Namecheap.com
Contact: support@namecheap.com
Visit: http://namecheap.com
Domain name: redblueamber.com
Registrant Contact:
WhoisGuard
WhoisGuard Protected ()
Fax:
11400 W. Olympic Blvd. Suite 200
Los Angeles, CA 90064
US
Administrative Contact:
WhoisGuard
WhoisGuard Protected
(7fb75b415a73401ba928032836a96c58.protect@whoisguard.com)
+1.6613102107
Fax: +1.6613102107
11400 W. Olympic Blvd. Suite 200
Los Angeles, CA 90064
US
Technical Contact:
WhoisGuard
WhoisGuard Protected
(7fb75b415a73401ba928032836a96c58.protect@whoisguard.com)
+1.6613102107
Fax: +1.6613102107
11400 W. Olympic Blvd. Suite 200
Los Angeles, CA 90064
US
Status: Locked
Name Servers:
NS1.redblueamber.com
NS2.redblueamber.com
Creation date: 31 May 2011 18:00:00
Expiration date: 31 May 2012 13:00:00
Related documents
Rev. John J. Leonard, S.J. Obituary By Rev. Peter Schineller, S.J.
Rev. John J. Leonard, S.J. Obituary By Rev. Peter Schineller, S.J.
Collaboration & Coordination among Colleges & Universities at the
Collaboration & Coordination among Colleges & Universities at the
insert your school name here - College of Continuing Education
insert your school name here - College of Continuing Education
Click Here
Click Here
Social Studies Sites and Resources
Social Studies Sites and Resources
Chemical/Physical Prelab Reading and Notes
Chemical/Physical Prelab Reading and Notes
The Process of Transitioning to the Distance Learning Mode
The Process of Transitioning to the Distance Learning Mode
Download
advertisement