Final exam study guide partial answers > 1. Consider the hierarchical queuing discipline using weighted fair queuing; > each node is marked with its bandwidth fraction. > > root > / \ > / \ > / \ > 60% 40% > / \ / \ > / \ / \ > 33% 67% 50% 50% Note: these are fractions of the PARENT! > | | | | > A B C D > > What fraction would each of A, B, C, and D get if all senders were active? A: .6 * .33 = 20% B: 40% C: 20% D: 20% > What fraction would each of A, B, and C get if they were the only ones active? A: 20% B: 40% C: 40% > 2. In the diagram above, suppose only A and C are active, and hence A gets 60% > and C gets 40%. All packets are the same size; packets might be sent in the sequence > a1 a2 a3 c1 c2 a4 a5 a6 c3 c4 (or perhaps a1 a2 c1 a3 c2 a4 a5 c3 a6 c4). > Now suppose B starts in; what might the sending pattern be? (Assume the packets > are numbered from 1, or 0). All we're trying to do is come up with a transmission sequencing that gives A 20%, B 40%, and C 40%. The easiest is to replace two of every three a[i]'s with b[i]'s old: a1 a2 a3 c1 c2 a4 a5 a6 c3 c4 .... new: a1 b1 b2 c1 c2 a2 b3 b4 c3 c4 .... > 3. Compare SNMP, OpenNMS-style pollers (java programs), and high-level shell scripts for discovering network information. > While there is some overlap, SNMP tends to provide hardware data. Pollers provide information on applications at the level of whether the application is accepting connections and apparently initiating them correctly. Scripts can provide information on whether applications are creating the correct end results. > For the following SDN (OpenFlow) switches, give rules for unknown-destination > traffic (either flood-all-traffic or no-flooding) for each switch so that traffic > does not circulate endlessly. > (a). > A---------B > | | > | | > D---------C flood-all traffic: A, B, C no-flooding: D This amounts to taking D out of the network, for flooding-traffic purposes, so the network becomes loop-free. Any of A, B or C could also have been the deleted node. > (b). > A---------B---------C > | | | > | | | > D---------E---------F One possible solution: flood-all-traffic: A, D, B, C, F no-flooding: E > 5. How are SNMPv3 keys different from passwords? How are keys exchanged, > after they are set up initially? For the AuthNoPriv (authentication but not encryption) service, a hash of the local key is the authenticator in each packet (that is, a separate session key is not selected). The local key is a hash of some combination of the password and the engineID, so that discovery of a local key only compromises a single agent. Keys are exchanged using "key change" objects; an SNMP SET command is used to "set" the value of a "key change" field in the usmUserTable (USM = User-based Security Model), which causes a key update to occur. The keys are not directly accessible in the usmUserTable. The key-change object involves 16-byte strings RAND (truly random) and DELTA, calculated as DELTA = md5(old_key ^ RAND) XOR new_key (old_key and new_key are the local keys, kul and kul_old), and ^ is concatenation). > 6. How does SNMPv2 GetBulk differ from SNMPv1 GetNext? It is like an "iterated" GetNext, that is, not just the one next value is retrieved, but N next values in sequence. Both GetBulk and GetNext can ask for the next values corresponding to M different OIDs in parallel. > 7. Outline the row-creation mechanism built into SNMPv2, including the RowStatus > field, and give an example of what row creation might be used for. RMON is a good example of a use of row-creation. So is SNMPv3 USM. > 8. In SNMPv1, the manager had to store the "community" password for each agent > (though many agents used the same password). How is this password-keeping > requirement different in SNMPv3? Both arrangements require in principle that one password be kept for each possible agent. SNMPv3 also requires keeping a username. SNMPv1 tends to use the same password for many machines, and to rely on firewalling for security. SNMPv3 is designed to be secure enough to use without firewalling, so in practice that likely means lots more different passwords (ultimately a different password for each node). > 9.(a) Outline how initial accounts are created in SNMPv3 agents They must be created *outside of SNMP* > (b) Outline how that initial account can be cloned by *using* SNMPv3. There is a standard two-step clone process: first to clone the original account to a new user, and second to change the password. Cloning a row means to use SNMP SET to create a new row and SET the userCloneFrom field (this requires providing INDEX values for username and authtype, etc). A SET of the userCloneFrom field then copies the rest of the cloned-from row into the new row, except for the new INDEX values. > 10. How does fair queuing differ from using one layer of HTB? One layer of HTB, besides adding token-bucket shaping, uses "quantum round-robin" fair queuing, which is a more "coarse-grained" form of fair queuing. > 11. Suppose you are using priority queuing to route VOIP traffic ahead of other TCP > traffic. What do you have to do to ensure that the other TCP traffic does not "starve"? You need to be sure that the sum of all the priority traffic is "considerably" less than the total traffic capacity, eg 10%-30%, so that non-priority traffic will get a significant share. One way to do this is to limit the number of VOIP voice channels at the site's border router. > 12. 12. Consider each of the following iptables commands on box S. > Which will block responses to pings? Which will block pings even being received? > (a) iptables --table filter -A INPUT -p icmp -j DROP > (b) iptables --table filter -A OUTPUT -p icmp -j DROP > (c) iptables --table filter -A FORWARD -p icmp -j DROP (a) will block icmp traffic (pings included) from being received (b) will block responses from making it out (c) will have no effect on pings to that host. However, if the host is B, and it also acts as a router for traffic reaching C: A----B----C, then (c) will block pings to C.