Network Security - Introduction and Fundamentals
Notarization
A service where some form of third party offers assurance of a certain data property.
What does session keys in CCMP accomplish?
Implicitly authenticates STA and AS which means that one is guarded against eavesdropping, man-in-the-middle, forgery, replay and dictonary attacks.
Encapsulation protocols
Protocols that, simply explained, take information from a higher layer and add a header to it, treating the higher layer information as data. Encapsulated (tunneled) packets are not touched by intermediate routers.
What is the difference between NAPT, NAT and PAT
They are all address translations. NAT translates one network address to another, PAT translates from one port to another, and NAPT is the combination of both.
How are IP multicast adresses managed on 802.x networks?
They are mapped to a MAC multicast address
How does most enterprises structure their switches and bridges used in the network
They are structured in a tree or mesh like structure like structure
SDN
Software-defined networks seek to viritulaize the network architecture by seperating control and data plane, ideally centralizing control and minimizing the intelligence in the fast data plane
What is the difference solicited ARP entries and unsolicited ARP entries?
Solicited entries are normally cached for longer and are addresses which are recived from the response of a resolution request. Unsolicited entries are the scavanged address. Meaning that they addresses which is acuired opportunistically by observing the MAC/IP of the sender of resolution requests.
Is there any additional privacy one can add to GSM handsets?
Some additional privacy protection is offered by the optional use of a temporary subscriber identity to avoid broadcasting of permanent identifier (IMSI)
Source Quench
Source Quench is an ICMP based mechanism used by network devices to inform the data sender that the packets can not be forwarded due to buffers overload. Basically; slowing down a sender's traffic. Rarley used mechanism, can easily be spoofed. Such source quench messages need not always be honoured, especially since many networks aggressively filter out ICMP messages.
Give examples of topologies used to minimize packet duplication in IGMP
Spanning tree, (truncated) reverse path broadcasting and core-based trees
Is it more difficult to spoof IP packets or a TCP session?
Spoofing TCP sessions is more difficult than IP packets, especially if one utilizes good sequence numbers and the attacker cannot see the entire communication (i.e. the attacker does not sit between the sender and the receiver)
What is the difference between Multicast-, Unicast- and broacastadresses?
Unicast adresses uniquely. Broadcast adresses sends the message to everyone in the network, while multicast adresses sends messages to some in the network that are subscribed and needs to be managed by other protocols
Maria
er dritsmart gå å dø pernille
Event Detection
Services to identify events and patterns in events with some security significance, for instance to detect malicious traffic. Used for instance in intrusion detection
What is layer 7 in the OSI Reference Model called? What happens at this layer?
The application layer handles communication at the level of application tasks. The job of the application layer is to offer protocols for exchanging messages between a client and a server. Typical protocols are HTTP, DNS and SMTP.
What is LLC and MAC?
The data link layer is often divided into two sub-layers; LLC (logical link control) and MAC (media access control). LLC multiplexes (multiple analog/digital signals are combined into one over a shared medium ) protocols running at the top of the data link layer, and optionally provides flow control, acknowledgment, and error notification. MAC determines who is allowed to access the media at any one time (e.g. CSMA/CD). Or it refers to a frame structure delivered based on MAC addresses. MAC also performs frame synchronization, which determines the start and end of each frame of data in the transmission bitstream.
Name one of the reasons why IPv6 came to life
The exhaustion of the IPv4 address space and routing table efficiency led to a redesign and expansion of the IP protocol (IPv6)
What is the maximum size of an IP packet?
The max size of an IP packet is 65535 bytes which inludes the IP header. However, lower layer transports such as Ethernet may have lower bound which means that IP must be able to fragment and reassemble so that one can forward the information is such a way that the lower layers are able to handle it. IP packets therefore have IP fragmenting field within the header which allows one to keep track of the different fragments of one IP packet.
What is usually the objective of spoofing TCP connections?
The objective is usually to hijack an existing conncection, known as session hijacking, e.g. to insert commands after authentication.
In what ways does ARP try to be efficent?
* Hosts "scavenge" the MAC address of the sender * A host recognising its own address will send a unicast back to the original sender to resolve the address, this is then cached by the recipient
Name key difference between IPv6 and IPv4
* Larger address space in IPv6 (IPv6: 128 bit, IPv4: 32 bit) * IPv6 facilitates aggregation, hence efficent backbone routing * More efficent header structure in IPv6: No option field as it is replaced by extenstion header mechanism, no header checksum as it is sufficently covered on other layers, no fragmentation at intermediate nodes (routers) * IPv6 has integrated stateless address autoconfiguration which removes the need for additional protocols * IPv6 has mandatory support for IPSec which is realised as an extenstion header * Mobility support in IPv6 (maintains session continutity when changing point of attachment) * Extension header allows specification of extension headers to be processed at intermediate or only terminal hops * Instead of the widely-ignored ToS field, IPv6 uses an 8-bit traffic class field in conjunction with a flow label field; this can be used do differentiate or prioritise traffic * Flow labels can serve a similar role; together with source and destination address, this can identify similar packets so routers may treat such flows differently (e.g. quality of service)
Name some spoofing countermeasures
* Network operators and service providers have the means to determine and filter out traffic that obviously cannot come from a given source based on network topology * ISPs should perform ingress filtering on edge routers. I.e. check that the source IP of all packets originating from hosts "south" of the edge router match the prefix range served by the router (relying on BCP 38). BCP 38 is not mandatory, and does not stop e.g. a botnet from sourcing hosts with desirable IPs.
Name some security issues with WEP
* Only authenticated clients, not access points. This means that a rogue access point would be impossible to detect * WEP used a shared key. This is unfortunate as the use of a shared key implies that everyone who knows the key can decrypt and observe the frames belonging to other users in clear text. * WEP relied on the RC4 stream cipher. The cipher is started with an IV and the shared key, and the IV is sent in plain text. If two items are encrypted under the same RC4 key stream byte, plaintext can be recovered.
What are some examples of standarisation attempts that have been made to provide QoS services directly in the IP context? Are these adequate?
* Parameterized communication with the network infrastructure. E.g. of protocols include RSVP, RSVP-TE and NSIS. * Prioritisation of traffic requires universal cooperation and is part of the IP packet header Most approaches have been found to be inadequate for general deployment, resulting in more coarse-grained QoS provisioning where SLAs can be enforced by network infrastructure.
What are the 8 threat categories identified by the ENISA threat taxonomy? Explain what each category entails briefly
* Physical attack: attacks that uses physical manipulation/access to media and/or devices * Unintentional damage: E.g. Leakage of information or confidentiality breaches that occur as a result of human error * Disaster: Fires, floods, Lightning strike that damage devices and may result in loss of data etc. * Malfunction: hardware fails, power faults, RF interference * Outages: Key staff absence, network infrastructure faults * Interception: Data being communicated or that is at rest is being intercepted (an attacker retrives a copy of the data being transmitted) * Abuse: An attacker abuses the information system through e.g. introducing malware to the system or through social engineering * Legal: Could be failure to comply with legal, regulatory requirments
5G Security Enhancments
* relies routinely on TLS which also allows certificates for endpoints incl. IoT devices * Enables user plane traffic integrity protection * The 5G SUPI is protected with asymmetric cryptographic primitives * Home control allows the network to verify device locations to avoid spoofing/false signalling attacks leading to interception * allows "unified authentication" across 3GPP (i.e. 5G) and non 3GPP (e.g. 802.11) devices, supporting 5G AKA as well as EAP-AKA * protection against downgrading attacks * 5G endpoints can force the use of supported technology, so that network downgrades (to 4G, etc. can be forbidden selectively)
What did the 802.11i standard aim to accomplish?
1) Prevent unprotected packets from being sent or received 2) Provide message origin authentication 3) Offer packet sequencing (detecting replay attacks) 4) Avoid re-keying requirements by using 48-bit packet sequence number 5) Protect source and destination addresses 6) Use sound encryption for confidentiality and integrity (AES-CCM or OCB are required)
Explain the EAP message exhange flow between the STA, the AP and the AS.
1) STA sends EAPOL-start to AP 2) AP sends EAP-request/identity to STA 3) STA responds with EAP-response/identity to AP 4) AP sends (RADIUS) Access-request to AS (radius server/AAA) 5) AS sends Access-challenge to AP 6) AP forwards access-challenge as EAP-request/auth to STA 7) STA responds with a EAP-response/auth as a means of authenticating itself 8) The AP forwards the STA's auth response as an access-request to the AS 9) The AS responds with either an access-accept or an access-reject to the AP 10) Depending on accept/reject from AS, the AP sends an EAP-success/EAP-failure
What is the three way handshake tcp?
1. A sends SYN to B 2. B sends SYN ACK to A 3. A sends ACK to B
Name the four timers that the TCP protocol uses.
1. Connection establishment - timer used to wait on ACK packet after sending an SYN or a SYN ACK packet. After the timer runs out, the connection attempt is dropped 2. FIN_WAIT_2 - Tied to FIN. Is used to wait on a FIN packet and transission from FIN_WAIT_1 to FIN_WAIT_2 If not recived 3. TIME_WAIT - used to determine when a connection can be purged after close 4. Keepalive - used to schedule periodic resets for "hearbeat" messages
How does the spanning tree protocol work
1. Each bridge calculates path to root bridge 2. Assign a cost with each port on each bridge, and with a transmission onto network connected to the port 3. If multiple ports are possible and face the root node, choose the one with the lowest cost
In what two relatively easy easy can one perform a DOS attack against wifi/the 802.11
1. Jamming. Sending signals on a frequency over a spectrum than interfere with the signals is relatively easy and cheap. 2. Monopolising the network / abusing the RTS/CTS protocol. When sending fake RTS frames, the accespoint will send a multitude of CTS frames, blocking the other nodes from sending. The attacker will not respect the counter protocol (which demands that all nodes wait until the medium is suspected to be free before sending a RTS frame, and after a failed attempt, wait a certain time period before attempting again. ) This will make the other nodes wait longer and longer time periods and the network will be blocked.
Name two Shared Medium Ethernet variants that are long obsolute. Whate are the main issues in regards to these?
10Base2 and 10BaseT over twisted pair (repurposed POTS cabeling). 10Base2 network modifications led to temporary interruptions of the shared bus. 10BaseT relied on a dumb hub with nodes in a star topology and possible uplinks. If the hub fails, all connected devices will have no network. One advantage to this variant is that it was possible to use switching hubs, thus making it harder to sniff network traffic.
How many bits do IPv4 address consist of? And how are such addresses divided?
32-bit address, normally shown as 4 octets. Addresses can be grouped into classes or masks, but historically divided into a network prefix and a host number where the network prefix is the same for all within the same IP-network and the hostname is different.
3G and its security
3G (UMTS) networks were optimized for mobile data and are extensible. The UMTS security architecture is also far more mature and removes a number of weaknesses in the GSM design. Provides mutual authentication, data integrity and network to network security. encryption mechanisms use somewhat stronger ciphers and longer keys. * mutual authentication: mobile equipment against base stations to protect against imsi catchers * data integrity: integrity checks particularly for some signalling messages, also protecting against false base stations * network to network security: optional security between serving networks incl IPSec
What is a BSS?
A BSS is a Basic Service Set. This is the foundation of a wireless local network in infrastructure mode. A BSS consits of an AS and all the nodes connected to that AS. All BSS are a part of an ESS, even if there is only one BSS. All APs within an ESS must be connected via a common infrastructure, which is commonly Ethernet.
What is the problem with Soft AP?
A Soft AP is a technology where a client can operate as a AP simultaneously, making it easier for an attacker to set up rouge accesspoints
Throughput
A measure of how many units of information a system can process in a given amount of time
What IEEE 802.11 mode of operation for communication is common to use?
A more common IEEE 802.11 communication structure than ad-hoc mode is infrastructure mode. This is a structured setup where Access Points (APs) provide access to a (fixed) backbone or other structured network. The combination of an AP and hosts is referred to as a BSS (Basic Service Set). One can further combine multiple BSS into an ESS (Extended Service Set) which allows roaming of nodes among the APs. This does however require one to use a handoff protocol (Inter-Access Point Protocol).
Hubs
A node that broadcasts data to every computer or Ethernet-based device connected to it. Deprecated, less sophisticated version of switch
What does QoS concern in the context of analogue telephony?
A number of parameters such as frequency response, singal-to-noise level, interruptions or crosstalk. All of these things play a part in the performace of the service.
What is the difference between a rouge AP, bridged APs and Mac cloning?
A rouge AP is simply an AP in the network that should not be there, either added by an idiot that do not know what they were doing, or by an attacker. A bridged AP is an AP that clients connect to that then forwards the requests to another, legitimate AP. This can be used by an attacker to create a malicious AP
How was collison handling implemented on the original ethernet?
A stations would have acces to all other stations listening on the yellow line. They would transmit on a apperently free line, and then listen for collisons. If there was a collison, then the station would wait a random interval and retransmit.
What is a common problem in wireless networks in terms of the channel access problem?
A transmitter A may not be able to detect if his signal at the recipient B is suffering from interference by another transmitter C (aka a hidden terminal) that is in range of B but not A
Name a collision detection difficulty
A transmitter does not know if the signal of interest has sufficent quality at the reciever. This means that it would potentially be hard for the receiver to determine if a collision has occured.
What is ARP?
ARP (Address Resolution Protocol) is a protocol which allows one to tie the link layer to IP addresses. ARP maintains a table of IP to link layer address bindings on each node (each machine). If an IP is not in the table, the machine must brodcast a request for resolution. The target machine (or another machine which has knowledge of this IP) can then respond with the matching link layer address.
What requirments must be met in order for clients to be able to roam between the BSSs?
All APs must be in the same brodcast domain. If they are not, they will lose conncetivity as they are no longer in the same IP-network. Further, all APs in the same ESS must have the same ESSID. There are also some configurationparamaters that must be equal, e.g. security settings.
What do all modern ethernet deployments have in common regardless of the medium?
All modern ethernet deployments are switched. This means that all ethernet deployments rely on topologies with intelligent switches. These switches will learn associations of ports with the MAC addresses of the endpoints. These associations will be stored in a forwarding table. This implies that during the learning phase, a switch must act as a hub and forward packets for unknown MAC associations.
What is used to identify an ESS?
An ESSID (the name of the network). Can also be called SSID.
What does an ISP owning a CIDR block have to advertise to routing system in order for them to know where to send a packet?
An ISP owning a CIDR block only needs to advertise its own higher-level prefix to routing systems. This allows for aggregation of routing table entries. This means that routers can use the longest prefix match to determine the correct destination for a packet.
Birthday paradox in TCP session hijacking
An attacker may not need to compromise a particular connection, but may just need to compromise one of many active for a given victim system. This implies the birthday paradox, and the probability of two numbers having the same value is p=(k(k-1)*t)/2 for a spoofing set size k and the probability of a number in the spoofing set having value t.
What is an evil twin?
An evil twin is a fraudulent acces point set up by an attacker in order to get users to connect it instead of a legitimate access point and give up sensitive
1G
Analogue radio systems from 1960s onwards. Did not always offer location transparency, i.e. did not always offer the use of names to identify network resources rather than their actual location. Later systems supporting 1G did offer location transparency and also used digital signaling for control channels. E.g. NMT. Communication used frequency division multiple access with voice communication over FM which is trivial to intercept with another radio.
Trusted Functionality
Components or functions automatically assumed (based on policy) to be trustworthy
What are some key issues relating to telecommunication?
Dealing with synchronisation, transmission errors, collisions and flow control
What layers does the OSI Reference Model consist of? How do the layers communicate with each other?
Application layer, Presentation layer, Session layer, Transport layer, Network layer, Data Link layer, Physical layer. Each layer has well-defined roles and only communicates directly with those layers immediately above and below
At what layer is security applied?
Any and every layer. Security is defined to be separate to the OSI layer and can be applied to multiple layers. Instead, we define generic security terms (f.eks authentication, non-repudation) and that are implemented differently at the different layers
Data Integrity
Assures that information and programs are changed only in a specific and authorized manner.
Peer Entity Authentication
Authentication with the purpose of "providing confidence" in the integrity of the identity of a connected entity
Data origin Authentication
Authentication with the purpose of maintaining the integrity of the source identity of some data after either a connectionless transfer of after a connection has terminated
Cellular networks
Base stations communicate with handsets (or any other device) in the assigned spectrum. Different basestations will use the same spectrum - service area for a base station is called a cell. Generally speaking, devices will be served by the base station with the best signal quality with handoff when terminal moves.
What is the consequence of IP being an unreliable, connectionless best effort service?
Because IP is unreliable and connectionless, layers above the network layer have to deal with packet loss, duplication and packets out of sequence. This is because IP has no measures for giving packets sequence numbers, sending/reciving recipts etc.
Broadcast storm
Bridge forwarding a broadcast address in a tree like network, being looped and therefore amplified due to being a broadcast address.
Designated bridge
Bridge with lowest cost to transmit to the root bridge. There can be only one designated bridge
In the spanning tree protocol, how is the root bridge identified
Bridge with the lowest bridge ID
4G LTE and 5G
Build on the UMTS network and security architecture, but relies on IP networks. No 4G standard, hence a number of approaches incl. HSPA+ and LTE are grouped together with LTE hewing closer to UMTS. The access network facing mobile equipment is largely unchanged, but separates control and user plane more cleanly, offering both higher performance and some security benefits. A key difference to UMTS is that the core network in LTE is IP-based, also requiring different approaches for control and user plane security. Control plane signalling is integrity- and confidentiality protected, but optional for user data — but IPSec can be used for end-to-end security provisioning
In infrastructure mode, APs will periodically send out beacon signals. What does this accomplish?
By periodically sending out beacon signals, one allows nodes to identify APs or even switch to an AP with better response in a given ESS via a reassociation request. The beacon and (re-)association requests are examples of MAC management frames.
How are CIDR blocks delegated?
CIDR blocks are delegated hierarchically from the IANA towards RIRs. Delegation can then occur down to ISPs and individual customers.
How are CIDR blocks identified?
CIDR blocks are identified by 4-octet notation with a slash indicating the prefix length, e.g. 10.0.0.32/27
CSMA/CD
Carrier sense multiple access with collision detection. Protocol to regulate the acces to a shared medium so that only one node uses it at a time.
What three main network topologies exist?
Centralized, decentralized and distributed
Bridge
Connects Layer 2 level networks with eachother, by extracting MAC adresses from a frame and sending it according to a destination table it holds.
Audit trail
Data collected in order to perform some security audit.
What is CCMP desgnied for and what two services does it provide?
Designed for newer IEEE 802.11 devices that are equipped with the hardware to support this scheme. Provides two services; * Message Integrity: CCMP uses the cipher block chaining message authentication code (CBC-MAC) to compute MIC on plaintext header, length of plaintext header and payload. * Data Confidentiality: CCMP uses the CTR block cipher mode of operation with AES for encryption. Encrypts payload with CTR, and MIC is encrypted with counter = 0. The same 128-bit AES key is used for both integrity and confidentiality.
What was TKIP designed for and what two services does it provide?
Designed to require only software changes to devices that are implemented with the older WLAN security approach, namely WEP. TKIP provides two services: * Message Integrity: TKIP adds a message integrity code (MIC) to the 802.11 MAC frame after the data field. The MIC is generated by the Michael algorithm which computes a 64-bit value. The algorithm takes the source and destination MAC addresses , the data field and key material as input. * Data Confidentiality: This is provided by encrypting the MPDU plus the MIC value using RC4.
When was national networks allowing effective relaying invented? And what were they based on?
Devised in the 19th century. They were first based on optical (semaphore), and then later on electrical telegraph (radio).
What three rules for ICMP generation exist to prevent flooding of packets?
Do not create an ICMP packet in response to either 1. Another ICMP packet. 2. A multi- or broadcast packet, both on the link layer and the network layer In addition: 3. If the cause of the generation did not stem from a unique host, like broadcast address
What is a mrouter in the context of IGMP?
Each network has one querier, and all routers begin as queriers. Queriers elect a mrouter among themselves (lowest numerical IP address). A Mrouter (multicast router) sort through the two types of packets, multicast and unicast. The mrouter then decides the distribution of the data to their intended destinations on the multicast network.
0G
Early (late 1940s) radio systems offering only half-duplex (data can be transmitted in both directions, but not at the same time) communication similar to "manual" radios used by e.g. the military
What is the 802.1x back-end provided by? What is required for mutual authentication?
Either RADIUS, which is somewhat problematic as it relies on a shared key between the AS and APs, or the EAP-TLS which is effectivley a TLS handshake over EAP requiring AS certificates on the STA. For mutual authentication, a STA certificate is required.
What kind of traffic did the early traffic in ARPA mostly consist of?
Email (75%)
Fairness measure
Fairness measures or metrics are used in network engineering to determine whether users or applications are receiving a fair share of system resources.
How is routing done on a network (in simple steps)
First, determine whether the IP is directly reachable. If not check is a static route is determined for this specific address or prefix. If not, then send the packet to the default router.
For 802.3, what is the link layer address?
For 802.3 and others, the layer 2 address is a MAC address (48 bit, notionally unique). Each host can have multiple hardware interfaces, thus multiple MAC addresses. This means that MAC addresses are not an authenticator and can be spoofed easily.
Cellular networks rely on radio frequency networks across a number of different frequency bands. What decides/effects which band they operate on? What are some typical bands?
Frequency bands depends on regulations and licensing in each country. Typically in the 850, 900, 1800 and 1900MHz bands
What is frequency response in the context of analogue telephony?
Frequency response is a measure of if and how well a particular audio component reproduces all of these audible frequencies and if it makes any changes to the signal on the way through.
Give an example(s) of a encaptulation protocols
GRE (generic routing encapsulation), PPTP (point-to-point tunneling protocol), L2TP (Layer 2 tunneling protocol), TLS, SSH
GSM interception
GSM ME (mobile equipment?) will seek out the highest signal strength base station. This can be abused by deploying fake base stations that rely on the fact that a GSM node does not verify the identity of the mobile network BTS it is conntecting to. The fake base station (IMSI catcher) can relay regular communication, but is free to e.g. force downgrade or disablement of ciphers
GSM
GSM provides weak-ish confidentiality protection for the path between handset and BSS as the focus of the architecture was on authentication (revenue protection). Handsets, or mobile stations, are identified with IMEI, and subscribers are identified via a SIM. The SIM (Subscriber Identity Module) card includes the data which gives the user identity toward the network. And also, it includes different information like a number called the IMSI (International Mobile Subscriber Identity). When this IMSI is used in the SIM card, the mobile user could simply change mobiles by moving the SIM from one mobile to another.
How can malware getting around a NAT barrier?
Hole punching.
Explain the fragmentation buffer attack
Hosts will keep a limited buffer for fragments. This is because having many pending reassemblies is unusual. This means that hosts may run out of buffer. One can e.g. provoke this by deliberately leaving out fragments.
Routing control
How routes are selected based on some security criterium, for instance route changes if a breach in the network is suspected
What is IEEE 802.11?
IEEE 802.11, or simply WiFi, is a series of specifications for media access control (MAC) and physical layer (PHY) local area networks (LAN).
What is IGMP and how does it work?
IGMP is a protocol layered on IP used by routers to learn about multicast group membership. Computers and other devices connected to a network use IGMP when they want to join a multicast group. A router that supports IGMP listens to IGMP transmissions from devices in order to figure out which devices belong to which multicast groups. IGMP uses IP addresses that are set aside for multicasting. Multicast IP addresses are in the range between 224.0.0.0 and 239.255.255.255. Each multicast group shares one of these IP addresses. When a router receives a series of packets directed at the shared IP address, it will duplicate those packets, sending copies to all members of the multicast group. IGMP multicast groups can change at any time. A device can send an IGMP "join group" or "leave group" message at any point. IGMP works directly on top of the Internet Protocol (IP). Each IGMP packet has both an IGMP header and an IP header.
What versions of the IP protocol family is currently deployed?
IPv4 and IPv6
How can address translation mitigate the problem of the growing scarcity of IP adresses?
ISPs can use NAT to group IP adresses together, so they do not need one global IP address per router.
What is a BSS and NSS in the context of cellular networks?
If one wants additional features to a 2G network, one has to have a more complex network architecture that distinguishes multiple layers from the handset to the base station subsystem (BSS - base stations and controllers) and the network and switching subsystem (NSS). The NSS contains the mobile switching centre (MSC) which routes incoming and outgoing calls to the PSTN, and also provides the HLR to identify subscribers and control network admission.
When is IP fragmentation needed? What are the disadvantages of it?
If the maximum transmission unit (MTU) of an underlying PHY/MAC layer is less than the packet size, IP must fragment packets. The IP header always contains an identifier field; if a datagram is fragmented, all but the last fragments will have the MF (more fragments) flag set. The disadvantages: * Fragmentation affects performance and reliablity considerably. A lost packet would require retransmission of entire datagram. This is because no explicit recovery mechanism exists for lost fragments. * Packets can traverse different for PHY/MAC, meaning that re-fragmentation might be needed causing even more issues in terms of performance and reliability.
How is the communication structure in the IEEE 802.11 ad-hoc mode?
In ad-hoc mode systems, all nodes are treated equally
How do nodes in IEEE 802.11 wireless infrastructure network operating in ad-hoc mode communicate?
In ad-hoc mode, nodes are initially only able to communicate with immediate neighbours. Otherwise seperate routing protocols are required.
Do applications need to be aware of running over IPv6 instead of IPv4?
In many cases, applications do not need to be aware that they are running over IPv6. This is because translation stacks permit both legacy applications and communication between IPv4 and IPv6 hosts. A common mechanism allowing e.g. an IPv6 host to communicate with an IPv4 server is a form of Network Address Translation (NAT64). Similar translations are also required for Domain Name Service (DNS) in the form of DNS64.
When is 802.11 not favorable to use?
In networks where energy consumption is a concern.
Security Audit
Independent external review of records and activity to asses the security of something
Explain the overlapping fragments attack
Is a form of Denial of Service (DoS) attack where the attacker overloads a network by exploiting datagram fragmentation mechanisms. There does not exist any explicit mechanism for forcing ordering or disjoint fragments. This means that fragments can arrive in any order or repeat, hence overwriting of earlier fragments can occur. E.g. The attacker sends out fraudulent packets larger than the MTU can handle; these packets are forgeries and in some cases cannot be reassembled by the receiving network leading to network overload and a denial of service condition.
What do the ICMP header consist of?
It consist of a type field and a code field, as well as a checksum and an optional payload
What does Options do in the IP header do?
It is additional fields one can add: 26 are recognized by IANA in addition to experimental fields
What is the exponential backoff algorithm and why is it necessary?
It is an algorithm that chooses a new random countdown period in relation to CSMA/CA. It is needed because the hidden terminal problem persists so collisions will occur.
How is an ICMP packet structured?
It is layered on top of a IP packet; e.g it consist of an IP packet and IP header, plus an ICMP header.
Why is it trivial to network sniff on a shared medium that is not using a switch (switching hubs)?
It is trivial to network sniff on a shared medium not using switches because any station on a shared medium would be able to observe all traffic on the segment. This means that one could simply connect to any station using a physical cable and observe the traffic.
How does adress translation work?
It keeps track of outbound addresses and assigned ports/adresses from its pool to the inner nodes.
What are the requirements of a good wifi jammer?
It needs to be able to send interference on several frequencies at a time. Due to the usage of direct sequence spread spectrum, interfering on only one frequency will not destroy the signal. In order to send interference on several frequency ranges, the jammer need to have multiple antenna
What is the problem with organizing switched network in a tree/mesh like structure?
It opens up for the possibility of messages ending up in loops.
What is layer 1 in the OSI Reference model? What communication happens at this layer?
Layer 1 of the OSI Reference model is the physical layer. This layer handles physical interfaces and electrical/optical specifications. This means that the physical layer is responsible for the communication of the unstructured raw data streams over a physical medium.
What is layer 2 in the OSI Reference model? What happens at this layer?
Layer 2 of the OSI Reference Model is the data link layer. Here, signals (or bits) from the physical layer are grouped into so-called Frames or Packets.
What happens at the network layer (layer 3)?
Layer 3 deals with addressing and transmitting (routing) data end-to-end, also including traffic management and error handling. In other words, the network layer uses network addresses, typically IP addresses, to route packets to a destination node. The most important protocols at this layer is IP and ICMP.
What layer is the transport layer? What happens here?
Layer 4, the transport layer, specified several classes of end-to-end transport. Among these are connectionless (UDP) and connection-oriented (TCP). TCP guarntees delivery of packets, while UDP does not.
What layer is the presentation layer at? What does this layer provide?
Layer 6, the presentation layer, provides encoding and decoding of data types for the application layer. It may also be used for encryption.
In computer networks, there are some things which the network must guarantee to ensure that it obtains its quality of service. What are these things and what tools can be used to achieve this?
Low-level performance parameters that must be guaranteed by a network include bit rate, delay, jitter, and error rates (packet loss and bit error rates). One can use tools such as reservation of capacity and prioritisation of data flows to achieve this.
In the context of the OSI Reference model, where is QoS sensitive IP traffic prioritized?
Lower layers, such as the data link layer.
How is flow control in tcp managed?
Managed by window field in the tcp segment. Let´s the sender know how much free bufferspace is left
Security Labelling
Marking of resources such as PDUs, designating security attributes
MAC
Media Access Control is a sub layer of the datalink layer that controls the technology specific tasks (tasks that differ if the medium is wifi, ethernet or optical) at the datalink layer. For contrast, the other sublayer (the LLC sublayer), handles tasks that are technology independent.
Shared medium
Medium or channel of communication that serves multiple users at once (for instance wifi or ethernet)
Direct sequence spread spectrum
Method to transmit radio signals that are somewhat robust to interference. It operates by spreading the signal over a larger spectrum so intereference in one channel has less impact on the signal
What problems must routing protocols that allow nodes to communicate with others than their immediate neighbours deal with?
Mobility of nodes and intermediate nodes along the routes becoming unavailable
Traffic Padding
Modification of the payload traffic between two nodes to hinder the possibility of extracting information about the communication and/or the content of the messages; this is a separate concept to encryption and does not take into account any encryption on the information
What does most QoS mechanisms assume about the network infrastructure? In what domains is this not necessarily the case?
Most QoS mechanisms assume that the network infrastructure itself is sufficiently overprovisioned so that it can prioritise or offer the requisite capacity — it is not expected to be overwhelmed itself. This is not necessarily the case in wireless networks and their applications. E.g. IoT devices as they are often resource-constrained and frequently need to communicate over wireless networks with defined QoS requirements
2G
Most popular 2G cellular network is GSM. Another less popular is CDMA used in North America and Japan. Both are fully digital networks that allow roaming. Not originally designed to carry data, was added later with limited capacity.
What protocol(s) currently exist on the network layer in the internet architecture?
Multiple data link layers support IP, and a number of higher-layer protocols are in use, but IP is the only network layer protocol in the Internet architecture. IP is the highest-layer protocol implemented in routers/hosts.
What is NSIS?
Next Steps in Signaling (NSIS) was an Internet Engineering Task Force working group focusing on the design of a next generation signaling protocol framework and protocol specifications. One of the three primary protocols proposed by NSIS is the QoS signaling protocol QoS NSLP. The QoS NSLP seeks to replace the Resource Reservation Protocol (RSVP) for signaling resource reservations to Internet routers.
Can one transmit and listen at the same time in a wireless network? Why/why not?
No, one cannot transmit and listen at the same time in a wireless network. This is because the signal from the transmitting node's radiosender will defean all other signals when heard from the same node's radio receiver. This then means that one cannot utilize CSMA/CD in a wireless network to handle collisions because one cannot detect them.
Is the program (application) itself considered a part of the application layer in the OSI Reference Model?
No. This is because the app is something manufacturers develop individually to compete with oneanother. Therefore, there are no requirmentes as to how an app should look.
When do nodes reassociate and when do they disassociate?
Nodes request reassociation when moving from one BSS to another BSS in the same ESS. One has to reassociate because each AP has its own BSSID, while the ESSID is shared. Nodes request disassociation when moving between ESSs.
Is it hard to guess the sequence number of TCP session? Why
Not really, although it should be as hosts are free to choose ISNs from a 32 bit range. The reason why it is not that hard is because randomness does not come easy to computers. Computers therefore use pseudorandom generators (PRNG). In domains such as TCP, numbers must be generated rather quickly and because of this one often use fast, but rather poor PRNGs such as linear congruential PRNG that allow prediction of future values based on previous values.
What security does the IEEE 802.1x standard offer?
Offers port authentication, but no user authentication nor encryption mechanisms. Usually the RADIUS protocol is used for authentication, authorization and accounting (AAA) operating an encrypted tunnel between APs and AS (authentication server).
How can standards like 802.11ax somewhat protect themselves if their signals are jammed?
One can fall back on other, older encodings that are less complex but are robust. However, none of these endings are completely jamming safe.
What must be done to make simultaneous communication possible when multiple nodes share channels? Is the "transmit and pray" and CSMA/CD effective measures?
One has to use a MAC protocol to maximise throughput and maintain fairness. Transmit and pray will only work in networks that are not very busy. If the network is handeling alot of traffic, a large amount of collions will occur using this approach. CSMA/CD (listen before you talk) will not be efficient because propagation delay between transmitters is non-zero. This means that there is a delay between one sending info to the recipent has recived it. Because of the way CSMA/CD work, this means that others that wish to transmit something has to wait until the current transmission is done, meaning that one wastes entire transmission time. Furthermore, CSMA/CD collosion probability depends on the propagation delay. Meaning that if this delay is long, the probability of collisions increases.
How can one hijack a session?
One must guess the correct sequence number. The endpoint will reject sequence numbers that fall outside the legitimate transmission window. This is why good sequence number, rather than predictable ones make session hijacking a bit harder. Further, the legitimate client must be suppressed. This is because sequence number confusion might occur if not, and this will result in the termination of the connection due to mixed-up ACKs.
How are IP multicast managed in the wider internet?
One use additional protocols like IGMP and PIM
What was the issue with the original ethernet, that is mitigated with a switched Ethernet
Origian (eternal etherner) operated using one long cable you could connect to using a vampire tap. There are two issues with this: 1. Network sniffing is trivial, because you can just connect to the network through a tap and then have access to all traffic on the network. 2. There was not good collison handling.
How was orginal IP network prefixes divided? Why is this not the case anymore, and what has replaced it?
Original IP divided network prefixes into classes (e.g. a Class A network had a 8-byte prefix, a Class C a 24-byte prefix). This was wasteful and inflexible. Therefore, classless interdomain routing (CIDR) replaced it. CIDR uses a variable prefix mask allowing more flexibility and less waste of IP addresses. CIDR was further needed because the size of the routing tables was beginning to outgrow router capacities.
Why would one want to implement explicit QoS mechanisms in a over-provisioned network?
Over-provisioned networks can be subjected to DoS attacks. Denial of Service attacks are attacks which aim to shut down a network or a computer, rendering it inaccessible for its users. QoS mecanisms can then provide a network, even an over-provisioned network, the necessary capacity it needs to maintain the networks QoS.
What is the two phases of PEAP?
PEAP (Protected Extensible Authentication Protocol) is a fairly common and secure setup which operates in two phases: 1) Client authenticates against the AS using its TLS server certificate and establises an encrypted tunnel between the AS and the client 2) Another protocol such as Microsoft's MSCHAPv2 (password-based challenge/response protocol) is used within the tunnel
What is the ARPANET considered toterm-8 be one if the first global implementation of?
Packet switched network
Non-Repudation
Protection against denial of an entity having participated in a part or all parts of a communication.
Authentication exchange
Protocols for establishing and verifying the identity of an entity.
Connectionless confidentiality
Providing confidentiality of all user data in a data block
Connection confidentiality
Providing confidentiality of all user data on a connection
Selective field confidentiality
Providing confidentiality of parts of a data block
Traffic flow confidentiality
Providing confidentiality of the information that can be gained from observing only the flow of traffic
What is QoS?
QoS (quality of service) is a measurement of the overall performance of a service, particulary the performance seen by the end-user of the service. Such services could e.g. be telephony, computer networks or cloud services.
How can one defend against TCP Shrew attacks
Random dropping of packets, and syn cookies encoded in the sequence
Repeaters
Recive and retransmit the same signal in order to refresh the signal. Allows for sending/amplyfying a signal over longer distances
Recovery
Security mechanism to restore a trusted operation.
What is the difference between security mechanisms and security services?
Security services are generic concepts (authentication, non-repudation). Security mechanisms are tools used to achieve these concepts in various situations (encryption, signatures, access control)
How is congestion control in tcp managed
Sender measures how many ACK packet have been received/not received.
Shrew attack
TCP Dos attack. Exploits the RTO by sending a Burts of packets to a server exactly at the time when a client sends a ACK packet, resulting in packets being dropped by the router and not transmitted to the waiting sender. This will create a fake high congestion environment and the TCP connection will become very slow due to being managed by RTO
How can TCP's congestion control stratergies worsen QoS issues?
TCP congestion control uses something called a conegstion window. A conegstion window is one of the factors which determines the number of bytes that can be sent out at any time. This is done in order to avoid the link between a sender and a receiver from becoming too overloaded with traffic. If the window is small, this can cause severe latency, thus compromising the QoS.
What is TCP and how does it work roughly?
TCP is a protocol used at the transport layer. It organizes data so that it can be transmitted between a server and a client while preserving the integrity of the data being communicated. Before it transmits data, TCP establishes a connection between a source and its destination using a 3-way handshake. It then breakes data into smaller segments which is transmitted with a sequence number and receipt number to ensure the integrity and successful delivery of the packets.
What are the advantages/disadvantages with TKIP?
TKIP is computationally cheaper than CCMP. Does however require countermeasures such as re-keying on active attacks and rate-limiting for re-keying due to a somewhat problematic construction
IP and TCP DOS attacks can be contucted from both compromised hosts as well as spoofed addresses. In the case of spoofed addresses, what problems could this cause for the hosts and networks of the spoofed address?
Target and network service provider may block spoofed networks or hosts which in reality are innocent. Such spoofed networks/hosts will also suffer in the case of a TCP SYN flood attack because they have to deal with all the resulting SYN/ACK segments.
Cut through switching
Technology that allows a switch to avoid buffering by forwarding frames while they are still being transmitted to the switch
What does the DF flag mean in the IP header?
That one is not allowed to fragment the IP packet
How does TKIP work?
The 256-bit temporal key (TK) is used accordingly. Two 64-bit keys are used with the Michael message digset algorithm to produce a MIC. One key is used to protect STA-to-AP messages, and the other to protect AP-to-STA. The remaining 128 bits are truncated to generate the RC4 key used to encrypt the transmitted data.
Describe the IEEE 802.1x access control approach
The IEEE 802.1x standard was designed to provide access control functions for LANs. The authentication protocol that is used, the Extensible Authentication Protocol (EAP), is defined in the standard. IEEE 802.1x uses the terms supplicant, authenticator and authentication server (AS). In the context of IEEE 802.11 WLAN, supplicant and authenticator correspond to the wireless station and the AP. The AS is typically a seperate device on the wired side of the network, but can also be directly on the authenticator. Until the AS authenticates a supplicant, the authenticator only passes control and authentication messages between the AS and the supplicant. However, once the suppliciant has been authenticated and keys are provided, the authenticator can forward data from the suppliciant to the network. The supplicant (STA) and the AS are authenticated to eachother using an EAP exchange. Typically, the message flow between the STA and the AP employs EAP over LAN (EAPOL) protocol, and the message flow between the AP and AS uses RADIUS. APs must advertise security capabilites to STAs, and APs forward STA authentication to central AS. Once authenticated to the AS, one gets a master key which is then used to generate session keys serving as authorization tokens
In 802.11i, what is a PMK and what is the use of it?
The PMK is a Pairwise Master Key which is used by the AP and the STA to derive PTKs (Pairwise Transient Keys).
What is the difference between RSVP and RSVP-TE?
The Resource Reservation Protocol (RSVP) is a transport layer protocol designed to reserve resources across a network using the integrated services model. RSVP can be used by hosts and routers to request or deliver specific levels of quality of service (QoS) for application data streams. RSVP defines how applications place reservations and how they can relinquish the reserved resources once no longer required. RSVP operations will generally result in resources being reserved in each node along a path. Resource Reservation Protocol - Traffic Engineering is an extension of the Resource Reservation Protocol (RSVP) for traffic engineering. It supports the reservation of resources across an IP network. RSVP-TE generally allows the establishment of MPLS label switched paths (LSPs), taking into consideration network constraint parameters such as available bandwidth and explicit hops.
Explain how the STA and AP 4-way handshake works in CCMP. Why use this handshake?
The STA and AP uses a 4-way handshake to confirm the existence of the PMK, verify the selection of the cipher suite and derive a fresh PTK for the following data session. The handshake proves liveness (mutually) for peers, demonstrates that there is no man in the middle between the PTK holders if there was no man in the middle holding the PMK. The four steps in the handshake is; 1) AP -> STA: message includes the MAC address of the AP and a nonce (Anonce) 2) STA -> AP: The STA generates its own nonce (Snonce). Uses both nonces and both MAC addresses plus the PMK to generate a PTK. The STA sends a message containing its MAC address and Snonce to the AP, enabling the AP to generate the same PTK. This message includes a MIC. 3) AP -> STA: The AP generates the PTK and sends a message to the STA containing the same information as in the first message, but this time also including a MIC. 4) STA -> AP: Acknowldgement message, protected by a MIC.
What is the primary function of the TTL field in an IP header? Does it have any other use cases?
The TTL field in the IP header is primarily used to prevent routing loops. A secondary use is as a "hack" for discovering routes by sending packets with decreasing TTL, namely traceroute. TTL is also important for handling multicast traffic. With TTL=1 multicasts are restricted to non-routable local networks, otherwise routers must forward
What is the channel access problem?
The channel access problem concerns the problem of simultaneous communication. E.g. as in the original ethernet, 802.11 as a radio network has multiple nodes that share channels. This makes simultaneous communication impossible.
Althoug 802.11 is better then WEP, what are some weaknesses still present when using the standard
The client trying to access the network is still vulnerable. Misconfigured access points, or rouge access points, or evil twin can *** up the client.
Why must the header checksum in the IP header be recomputed for each hop the packet does?
The header checksum is computed over selected fields in the header of the IP packet. These header fields can change value (for instance Source Address during NAT). The TTL (Time to Live) for instance will change on every hop, and as such the checksum will change.
What do routing nodes need to know when using CIDR?
The routing nodes need to know the IP address and network identifier (netmask). The host number is derived from the inverse of the netmask.
How does CCMP prevent replay attacks?
The scheme uses a 48-bit packet number to construct a nonce.
What is layer 5 in the OSI Reference Model, and what does this layer do?
The session layer manages logical conncections between systems to establish, terminate and restart or checkpoint sessions for later resumption
What two schemes/sub-protocols are defined in IEEE 802.11i for protecting data transmitted in 802.11 MPDUs (MPDU exhange)?
The temporal Key Integrity Protocol (TKIP) and the Counter Mode-CBC MAC Protocol (CCMP).
What is the purpose of TCP mechanisms like RTO and RTT, and what are the differences between the two?
They are used as congestion control. RTT (Round Trip Time) is the time a packet uses to be send and a receipt is received. Is measured continously, and used to determine how often packets are sent RTO is used in high-congestion environments by tcp connections to seriously slow down transmission, usually stopping completely for an entire second before cautiously starting sending very slow.
In a fixed network, a transmitter must keep listning. Why?
This is because if the transmitted signal is not equal to the sensed signal, a collision has occured. If this is the case, one has to retransmit the signal.
How does the IEEE 802.11 standard solve the channel access problem related to wireless networks?
This issue is solved with an explicit protocol CSMA/CA that relies on RTS (request to send) and CTS (clear to send) messages. The way this works is that; 1) The transmitting node chooses a random number 2) The node will begin its countdown from the random number when it deems the medium to be available. The countdown is frozen if the medium is busy. 3) When/if the counter reaches zero, the node will transmit a RTS which causes the neigbouring nodes to freeze their countdown. The RTS contains a request for a specific time window including CTS and acknowledgements, T_comm 4) All other nodes will remain silent during NAV (Network allocation vector) time (= T_comm) 5) The reciever will reply with a CTS (also containing expected transmission duration). Neighbour nodes are then again silent for NAV time 6) Transmitter sends 7) Receiver sends acknowledgment 8) Once ACK is observed, other nodes restart their countdown and the protocol resumes If RTS or data transmission collides, a collision occurs and the transmitter chooses a new countdown period (using a expontential backoff algorithm)
What is the purpose of ICMP?
To exchange information between nodes in a network
What is the point of the Spanning Tree protocol (IEEE 802.1D)
To handle and avoid messages ending up in a loop in switched networks
How do you jam a wifi signal?
To jam a signal, one have to transmit noise on the same frequency as the signal, and drown out the actual information. Intentional wifi jamming often happens by sending noise over a large spectrum of frequencies, deafening a whole network.
What aspects of a network service is considered when attempting to measure QoS quantitatively?
To quantitatively measure the quality of service, several aspects are considered. Some common examples are error rates (packet loss, bit error rates), bit rate, throughput, transmission delay, availability and jitter.
What is GRE, PPTP and L2TP examples of
Tunneling protocols
How does hole punching work?
Two nodes, each behind different NAT gateways, temporarily connect to a third, external server and exchange their internal and external IP adresses. In this way they can attempt to establish a direct connection with each other
What is the purpose of the type and code fields in ICMP?
Type is used to specify the purpose of the message (for instance, type 0 to 8 is a form of ping, type 11 is a ttl timeout error), and code is used to specify additional information about the error.
As of 2016, what percentage of traffic is IPv6?
Under 2%
What is the Spanning Tree protocol (IEEE 802.1D) requirements for switches and bridges, and why?
Unique identifier for each device, and a sepereate broadcast address for switches. This allow for a unique port identifier for each device, using the combination of a MAC address, the bridge ID and the port number
What will a router do when it sees a multicast address packet for the first time?
When a router sees a multicast address packet for the first time, it will flood too all interfaces except the inbound
Give an example of a scenario where it can be useful to utilize tunneling?
When deploying VPNs to connect remote workers or offices sharing the same address range and logical networks
In switched ethernets, can one sniff any traffic? If so, what traffic?
When using switched ethernet, one cannot sniff all traffic using any port. This is becuase when using switches the traffic is spread out using different ports. This means that traffic sniffing in switched ethernets are limited to brodcast/multicast packets which are available for all, and are not meant for one specific address.
deauthentication attack
Wifi Attac (802.11 specifically) used to disconnect a client from the network. Used for instance to force a client to connect to an evil twin, or to force the client to connect again in order to sniff the four way handshake
What are some examples of IoT protocols?
Z-Wave, SIGFOX, LoRaWAN WAVIoT NB-Fi and LTE-M