This is the midterm you did on 02/22/03. I have added ``model solutions'' for all but problem 1. Note: I often give similar questions in the second midterm and in the final Midterm, CIS 656 February 22, 2003. 9:15 - 10:30. Closed Book. Use only the paper provided by Dr Ott. Put your name on every sheet. Keep margin free! Be SHORT and CONCISE. Write legibly! There are three sheets. Do not overlook one! Fact-Sheet. This is information you may need to answer exam questions. Frame Types in Ethernet (Ether Types) (in hexadecimal): IPv4 0800 IPv6 86DD ARP 0806 RARP 8035 Version numbers: IPv4 4 IPv6 6 Protocol Identifiers in IPv4: ICMP 1 IGMP 2 IPv4 4 TCP 6 EGP 8 UDP 17 IPv6 41 RSVP 46 OSPFIGP 89 IPv4 Options: You must know the EoO Option and the No-Op Option. The Record-Route Option has code 7, Length and Pointer as needed. The Strict Source Route Option has code 137, Length and Pointer as needed. (Be sure to understand strict source route as done in class!). The Loose Source Route Option has code 131, Length and Pointer as needed. The Time Stamp Option has code 68, Length and Pointer as needed, 4 Overflow bits, and 4 Flag bits. Total for problem 1 is 26 points. 1. Draw the header of an IP packet without options. Give size and name of every field. Give the old (outdated) description of the ToS field. (not DSCP, ECN). BRIEFLY explain meaning and use of all fields. Study the following arp output (part was erased to save paper): argerich-244 ott>: arp -a Net to Media Table: IPv4 Device IP Address Mask Flags Phys Addr ------ -------------------- --------------- ----- --------------- eri0 dhcp-207-32 255.255.255.255 00:c0:4f:a0:ab:c7 eri0 megalon 255.255.255.255 08:00:20:c4:86:8d eri0 dhcp-207-14 255.255.255.255 00:c0:4f:a0:ab:fe eri0 dhcp-207-16 255.255.255.255 00:c0:4f:a0:ab:ac eri0 argerich 255.255.255.255 SP 00:03:ba:02:83:fc eri0 BASE-ADDRESS.MCAST.NET 240.0.0.0 SM 01:00:5e:00:00:00 Study the following traceroute output: maan-505 ott>: traceroute argerich traceroute to argerich.njit.edu (128.235.204.109), 30 hops max, 40 byte packets 1 cisnet-gw5 (128.235.32.5) 1.337 ms 0.424 ms 0.407 ms 2 argerich (128.235.204.109) 0.447 ms 0.431 ms 0.404 ms Problem 2 is worth 10 points. 2. What is the physical address of the computer with IP address 128.235.204.109 ? VERY briefly explain your answer. Model answer to problem 2: ------ From the traceoute output we see that argerich has IP address 128.235.204.109 . From the arp -a output we see that argerich has physical address 00:03:ba:02:83:fc . Therefore, the computer with IP address 128.235.204.109 has physical address 00:03:ba:02:83:fc . Several students seemed to think you can get the answer from just the arp output, using the fact that the arp -a command was executed at argerich. Wrong! For example, add more data: maan-763 CIS656.S.03>: traceroute megalon traceroute to megalon.njit.edu (128.235.205.37), 30 hops max, 40 byte packets 1 cisnet-gw5 (128.235.32.5) 1.275 ms 0.420 ms 0.402 ms 2 megalon (128.235.205.37) 0.461 ms 0.412 ms 0.401 ms Now find out what the physical address is of the computer with IP address 128.235.205.37 . Solution: megalon has IP address 128.235.205.37 and physical address 08:00:20:c4:86:8d . In cases like this you do not get credit for the correct guess. Only for the correct reasoning. This question is typical. I like to ask questions where you have to combine information from different tools (nslookup, ping, traceroute, tcpdump, arp, ifconfig, netstat) to get the answer. ------ Problem 3 is worth 10 points. 3. Are maan.njit.edu and argerich.njit.edu on the same subnetwork? VERY briefly explain your answer. Model answer to problem 3: ------ In traceroute from maan to argerich, there is a router in-between. (cisnet-gw5) Therefore, maan and argerich are not on the same subnetwork. Some students thought you could tell from the addresses. In the first place, you are not given the IP address of maan, so you can not use that. In the second place, even if you knew that address (128.235.32.243) you still would not know, since you are not given the mask of the subnetworks that maan and argerich are attached to. With the information you had, it was conceivable NJIT does not subnet beyond one class B net. (Uses only bridges etc). In that case maan and argerich would be on the same subnet. You get credit for the right reasoning, not the right guess. Aside: The subnets of maan and argerich have 20 ones and 12 zeros. for argerich you can check that. How? (maybe midtermII !). You are not allowed to log in to maan ! This question served to tell which students did the traceroute homework I assigned. ------ Problem 4 is worth 5 points. 4. What does ICMP stand for? Model answer to problem 4: ------ Internet Control Message Protocol. Aside: several people gave a story on what ICMP is and does, even gave the header! NEVER answer questions that are not asked! It takes time. If correct you get no credit. If wrong you lose points. ------ Problem 5 is worth 5 times 5 = 25 points. 5. A subnetwork has address 128.235.0.0/20 . 5a. Describe the mask of this subnetwork. Which of the following addresses can be the address of an interface on this network? In each case, answer yes or no and give a BRIEF ! explanation. 5b 128.235.16.3 5c 128.234.0.4 5d 128.235.8.8 5e 128.235.15.255 Model answer to problem 5: ------ 5a: There are several good answers: (i) 1111 1111 1111 1111 1111 0000 0000 0000 (ii) 20 ones followed by 12 zeros. (iii) 255.255.240.0 All are OK. I prefer (i). I do not recommend (iii) unless you are so fast with binary arithmetic that computing it takes no time. (Of course, everybody knows that 1111 = 15 and that 1111 1111 = 255, etc). The network address is 1000 0000 1110 1011 0000 0000 0000 0000 5b. Is 128.235.16.3 = 1000 0000 1110 1011 0001 0000 0000 0011 in that network? Answer: NO. The first difference is in bit 19 (if you start counting at 0), that is just too early. To be in the network the first differene must be in bit 20 or later. 5c. Same, with 128.234.0.4 . Answer: NO, now the first difference is in one of the bits 8 - 15, certainly among the first 20. (Actually it is bit 15, no need to spend time on that). 5d. Same, with 128.235.8.8 . Answer: YES, first difference is past bit 19. (actually in bit 20). 5e. Same, with 128.235.15.255 = 1000 0000 1110 1011 0000 1111 1111 1111 . Answer: NO, this is the direct broadcast address of the subnet under consideration. It can occur in a packet (destination address only), but can not be the address of an interface. This question served to tell which students did the similar homework problem I assigned. ------ Problem 6 is worth 4 times 6 = 24 points. 6. One of the (sub-)networks directly connected to router R is 170.170.16.0/20. That network has an MTU of 4464 bytes. There are no complications with host-specific routes. (i) Describe what Router R does when it receives (on a different interface than that to 170.170.16.0/20) the packet: VERS = 4, HLEN = 5, ToS = 0, TL = 1500 Ident = 21845, Flags = 0, FragOffset = 0 TTL = 31, PROT = 17, CheckS = 0 SourceAddr = 170.170.129.17 DestAddr = 170.170.17.17 (Do not worry about checksums). If a packet, or packets, are sent out by Router R, describe the packet or packets. As long as it is CLEAR, a "differential description" is OK. (e.g., "the same, only now VERS = 6"). BRIEFLY motivate your answer. (ii) Same question, now the input packet is VERS = 4, HLEN = 5, ToS = 0, TL = 5376 Ident = 21845, Flags = 0, FragOffset = 0 TTL = 31, PROT = 17, CheckS = 0 SourceAddr = 170.170.129.17 DestAddr = 170.170.17.17 (iii) Same question, now the input packet is VERS = 4, HLEN = 5, ToS = 0, TL = 5376 Ident = 21845, Flags = 2, FragOffset = 0 TTL = 31, PROT = 17, CheckS = 0 SourceAddr = 170.170.129.17 DestAddr = 170.170.17.17 (iv) Same question, now the input packet is VERS = 4, HLEN = 5, ToS = 0, TL = 5376 Ident = 21845, Flags = 0, FragOffset = 0 TTL = 1, PROT = 17, CheckS = 0 SourceAddr = 170.170.129.17 DestAddr = 170.170.17.17 Model answer to problem 6: ------ Clearly, 170.170.17.17 is a legal address on 170.170.16.0/20 . Therefore, assuming the address exists and there are no problems, the router will do a direct delivery, possibly after an ARP request to get the physical address. (If the packet had come in on the interface from 170.170.16.0/20 the router would also have to send a redirect. Not asked: don't say it). (i) No problems. The router decreases the TTL from 31 to 30, recomputes the checksum, (further no changes), and tries to deliver the packet by direct delivery. (ii) The TL of the packet is larger than the MTU of the network, so fragmentation is indicated. Check the DF bit: 0, OK, fragmentation allowed. So fragmentation occurs. First fragment: header of 20 bytes, so at most 4464 - 20 = 4444 bytes of data. But must be multiple of 8: 4440 = 555*8 bytes of data. Fragment 1: TL = 4440 + 20 = 4460 . M = 1 (More), (flags = 001 = 1). Fr.Offset = 0. TTL = 30 . (Checksum recomputed). Further unchanged. 5376 - 20 - 4440 = 916 bytes of data left. Fits easily in single second fragment. Fragment 2: TL = 916 + 20 = 936 . M = 0 (More), (flags = 000 = 0). Fr.Offset = 555. TTL = 30. (Checksum recomputed). Further unchanged. (iii) The TL of the packet is larger than the MTU of the network, so fragmentation is necessary. But fragmentation is forbidden: (flags = 2 = 010 , DF = 1). So: Drop the packet, send ICMP error message. (iv) The TTL is one. The first thing the router does is reduce the TTL to zero, then it drops the packet and sends an ICMP error message. Note 1: If a router fragments a packet, it does NOT set the DF bit: there might be later subnetworks with an even smaller MTU, so further fragmentation might be necessary. Note 2: The Identifier is used (among other things) to recognize different fragments of the same packet. Not asked here, so do not say it! ------ Wise Lessons: Give information only if asked or if it is necessary to make a point as part of an argument or reasoning. Keep your response short and concise. Most of the time you get credit for showing ``why'', not for making a lucky guess. Make sure your reasoning indeed is a reasoning, not a couple of sentences without internal logic.