Appendix A. Answers to Chapter Review Questions
Chapter 1
• IP provides end-to-end and any-to-any connectivity.
• IP performs everything in-band whereas legacy protocols tend to have separate control channel and data channel mechanisms.
2 Building and operating IP network infrastructures for converged services that meet carrier-class requirements must consider multiple, diverse services that have distinct bandwidth, jitter, and latency requirements. In addition, the interactions between these services must be considered as they may affect one another, along with the scale and security requirements.
3 • Transit IP packets: Any IP packet that has a destination IP address that is not one considered to be owned by the forwarding device (e.g. router) itself.
• Receive IP packets: Any IP packet that has a destination IP address that is owned by the forwarding device (e.g. router) itself (for example, interface IP, loopback, and so on).
• Exception IP packets: Any transit IP packet that requires specialized handling for forwarding (for example, contains options in the IP header) and thus must be punted and handled in the slow path.
• Non-IP packets: Any non-IP packet such as a Layer 2 keep alive or CLNS/IS-IS packet.
4 • Process switching: Utilizes only the router CPU to directly process and forward packets.
• Fast switching: Forwards packets in the CPU interrupt process by taking advantage of cache entries created during process switching of the first packet of each new flow.
• CEF switching: Forwards packets using a pre-computed and very well-optimized version of the routing table.
5 True. Data plane traffic uses only standard forwarding processes and should never have destination IP addresses that belong to the router itself.
6 True. Control plane packets are generated by network protocols, signaling and link state protocols, and other control protocols used to build network services.
7 The management plane supports all required provisioning, maintenance, and monitoring functions for the network.
8 Services plane traffic requires specialized network-based processing to be applied when forwarding packets.
9 • Centralized CPU-based router: Relies on a single CPU to perform forwarding, control plane operations, network management, and services delivery.
• Centralized ASIC-based router: Similar to a centralized CPU-based router but also includes a forwarding ASIC to offload forwarding duties from the CPU to improve overall device performance, mainly for data plane traffic.
• Distributed CPU-based router: Supports discrete line cards, each capable of performing the CPU-based processing and forwarding functions normally done by a single, centralized CPU.
• Distributed ASIC-based router: Supports discrete line cards, but each line card has its own forwarding ASIC to offload forwarding duties from any CPU and operates independently from all other line cards.
Chapter 2
1 • Layer 1—physical layer: Defines the conversion between digital data and electrical signals transmitted over a physical cable (or other communications channel).
• Layer 2—data link layer: Provides reliable transit of data across a physical link. The data link layer is concerned with physical addressing, network topology, line discipline, error notification, ordered delivery of frames, and flow control. The IEEE divided this layer into two sublayers: the MAC sublayer and the LLC sublayer (sometimes simply called link layer).
• Layer 3—network layer: Provides connectivity and path selection between two end systems. The network layer is the layer at which routing occurs.
• Layer 4—transport layer: Is responsible for reliable network communication between end nodes. The transport layer provides mechanisms for the establishment, maintenance, and termination of virtual circuits, transport fault detection and recovery, and information flow control.
• Layer 5—session layer: Establishes, manages, and terminates sessions between applications and manages the data exchange between presentation layer entities.
• Layer 6—presentation layer: Ensures that information sent by the application layer of one system will be readable by the application layer of another system. The presentation layer also is concerned with the data structures used by programs and therefore negotiates data transfer syntax for the application layer.
• Layer 7—application layer: Provides services to application processes (such as e-mail, file transfer, and terminal emulation) that are outside the OSI reference model. The application layer identifies and establishes the availability of intended communication partners (and the resources required to connect with them), synchronizes cooperating applications, and establishes an agreement on the procedures for error recovery and the control of data integrity.
Note
For more information on the OSI reference model, refer to Internetworking Terms and Acronyms on Cisco.com: http://www.cisco.com/en/US/tech/tk1330/tsd_technology_support_technical_reference_chapter09186a00807598b4.html#wp998586.
2 CAM table overflow and MAC spoofing attacks. Such attacks must be locally sourced because they rely on MAC address spoofing within data link layer headers, which are link local only and not routed across an IP network.
3 Traceroute. Traceroute operates by sending a UDP packet to the target destination with a Time to Live (TTL) of 1. The first-hop router then sends back an ICMP Time Exceeded (Message Type 11) message indicating that the packet could not be forwarded. The packet is then re-sent with the TTL value of 2 (incremented by 1), with the packet expiring at the second hop this time. This process continues until the target destination is reached. The target destination returns an ICMP Port Unreachable message in response to the UDP packet (which attempts to connect to an unopened port). By recording the source address of each ICMP Time Exceeded message, plus looking for the final ICMP Port Unreachable message, traceroute provides a trace of the path the packet took to reach the destination.
For more information, refer to RFC 2151.
4 Ping sweep. Ping sweep is a network-scanning technique used to find live (reachable) IP hosts within a specified IP address block. Because ping sweep is automated to send many ICMP Echo Requests (Message Type 8) as opposed to a single ping packet, it simplifies the discovery of potential attack targets.
5 A malformed packet is one that violates the TCP/IP protocol specifications—for example, using invalid header field lengths or values. Software implementations without adequate protocol integrity checks may be susceptible to malformed packet attacks. A crafted packet adheres to the TCP/IP protocol specification but is specifically constructed in a manner to exploit a weakness within a software implementation or protocol state machine.
6 • Direct attack: An attack launched directly at the target, whereby the IP destination address equals the target. Such an attack requires IP reachability to the target.
• Transit attack: An attack that does not specify the target router as the IP destination address, but rather uses crafted packets to trigger a DoS condition on an intermediate IP router in the forwarding path toward a specific destination. IP reachability is not required to the intermediate IP router. Only a valid downstream network address is required.
• Reflection attack: An attack that spoofs the IP address of the target. In this way, a flood of protocol request messages to innocent IP hosts (or broadcast addresses) become reflectors. These reflectors simply respond to the spoofed request messages, flooding the unsuspecting target.
8 A virtual routing and forwarding instance (VRF).
10 • Hide identity and hinder traceback.
• Launch reflection attacks.
• Bypass ACLs or authentication policies.
Chapter 3
1 The depth component refers to multiple defense layers defined and applied against a single attack vector. For example, when protecting SNMP, two layers supporting the same attack vector could be interface ACLs to block all but configured management station peers from connecting to UDP port 161, and then adding SNMP application- layer ACLs to also block all but the same traffic.
2 Breadth refers to multiple defense layers defined and applied against different attack vectors for the same service. For example, when protecting BGP, one layer could use interface ACLs to block all but configured peers from connecting to TCP port 179, which mitigates spoofing attacks, and a second layer of BGP neighbor authentication with MD5 hashing could be used to mitigate fraudulent route updates.
7 The enterprise edge security policy is typically described as “deny everything unless explicitly permitted,” whereas the SP edge security policy is typically described as “permit everything unless explicitly denied.”
8 False. TTL expiry reflection attacks are one example where transit traffic can impact internal interfaces.
Chapter 4
1 Transit and classification ACLs.
2 Customer RFC 1998 routing policy may be inadvertently changed.
3 FPM provides the ability to match (and filter) on arbitrary bits within the packet as opposed to using predefined fields. Further, FPM can also match (and filter) on packet header and payload information.
8 Unicast RPF on the edge router(s) and the static route on the trigger router specify the attacker (source address) not the target (destination address).
9 • Stateful: Firewall, IDS/IPS, traffic scrubbing.
• Stateless: ACL, FPM, uRPF.
Chapter 5
1 ICMP Echo (Type 8) and Timestamp (Type 13) messages. For the complete list of ICMP message types, refer to http://www.iana.org/assignments/icmp-parameters. IOS does not process ICMP Source Quench (Type 4) messages and therefore is not vulnerable to attacks that are based on crafting this type of message.
2 SPD extended headroom is reserved for Layer 2 keepalives, CLNS, OSPF, and MPLS LDP protocol packets only.
3 False. IP rACLs apply only to ingress packets having a CEF receive adjacency.
4 True. Ingress packets punted to the IOS process level—regardless of whether they are data, control, management, or services plane protocol packets—are subject to CoPP policies. On the Cisco 12000 series, only packets punted to the central PRP are subject to CoPP policies. This includes all IOS process level packets except ICMP Echo (Type 8), ICMP Time Exceeded (Type 11), and BFD protocol packets, which are handled on the distributed line card CPUs unless they include IP option headers.
5 Reconfigure the new MD5 keys on both sides of the BGP peering session before the holddown timer expires.
6 When GTSM is enabled (with a hop-count value of 1), the receive-side peer only accepts eBGP packets having an IP TTL value of 254 or greater. When GTSM is not enabled, the receive-side peer accepts eBGP packets having an IP TTL value of 1 or greater.
• GTSM.
• IP prefix lists.
• IP prefix limits.
• AS path limits.
• Graceful restart.
• Disabled connected check for loopback-to-loopback directly connected eBGP peers.
8 DHCP snooping and port security.
• Root Guard.
Chapter 6
1 • Availability: An out-of-band network provides an alternate path to each network element if in-band management connectivity is lost. Alternatively, you may design the OOB management network as the primary management path and use the in-band management path as backup. DCN designs vary widely.
• Day-to-day network operations: These include service provisioning, monitoring, billing, alarms, software upgrades, configuration backups, and so on.
2 CEF is disabled by default on management Ethernet interfaces, making the IOS router appear as an IP host to the (out-of-band) IP network connected to the management Ethernet interface.
3 Cisco strongly recommends against enabling CEF routing functions on this port to prevent IP reachability between the in-band and out-of-band networks. Otherwise, if an in-band network failure occurs, in-band data plane traffic may be inadvertently rerouted across the OOB management network. In this scenario, the OOB network no longer exclusively carries management plane traffic as intended.
4 Disable CDP on external interfaces only by using the no cdp enable command within IOS interface configuration mode.
5 MOTD, login, and incoming banners all apply to reverse Telnet sessions. The EXEC banner does not.
6 The same security techniques apply to both SNMPv1 and SNMPv2c, including community strings and community string ACLs. Neither provides means for encryption. SNMPv3 provides strong security by supporting sender identification, message modification checks, and message content encryption.
7 SSH provides encrypted remote terminal access, whereas native Telnet transmits protocol packets in clear text.
8 • The configured in-band interface(s) is dedicated for out-of-band management and, as a result, discards any ingress control, services, or data plane traffic received.
• All other in-band interfaces discard any ingress management plane protocol traffic received. This includes FTP, HTTP, HTTPS, SSH, SCP, SNMP, Telnet, BEEP, and TFTP protocol packets.
9 Identification, classification, and source traceback of security events.
10 Through its hub-and-spoke topology configuration, which allows connectivity only between managed CE routers and the SP NOC.
Chapter 7
1 The services plane refers to user traffic that requires specialized packet handling by network elements above and beyond the standard forwarding processing typically applied to data plane traffic.
2 Recoloring of ingress IP packets should be applied at the edge of the network. Recoloring is the process of changing the DiffServ marking within the IP header of each packet as it ingresses the network edge. For Cisco IOS routers, this would be accomplished by using MQC and interface service policies.
3 CE, PE, and P routers. The CE router does not require MPLS functionality and operates as a native IP router except in the case of the CsC model.
4 Such policies do not consider the associated VRF; hence, given MPLS VPN support for overlapping IP addressing, unauthorized traffic may incorrectly permitted through a source address-based IP rACL and CoPP policy.
5 An MPLS VPN ingress PE imposes 8 bytes for unicast traffic and 24 bytes for multicast traffic, assuming no other MPLS services such as TE/FRR tunnels are applied.
6 The command is no mpls ip propagate-ttl forwarded and is applied in IOS global configuration mode.
7 RFC 4363 Section 10, option (a) is considered most secure given that it provides for resource management per VPN, similar to a PE router, which helps to mitigate the risk of label spoofing and collateral damage.
8 IKE performs two separate functions. The first, IKE Phase 1, provides VPN endpoint authentication, and establishes a bidirectional SA (control channel) by which IKE protects itself (encryption and hashing algorithms). It is through this control channel that IKE Phase 2 manages subsequent connections on behalf of IPsec. IKE Phase 2 negotiates how IPsec connections should be protected, and builds a set of SAs, one for each direction of the IPsec connection. IKE Phase 2 then manages these IPsec connections (negotiates setup, teardown, key refresh, and so on). The IKE protocol uses UDP as transport, defaulting to port 500.
9 IPsec supports the Encapsulating Security Payload (ESP) and Authentication Header (AH) protocols. ESP handles encryption of IP data at Layer 3 to provide data confidentiality. ESP also provides some authentication and integrity capabilities. AH provides authentication and integrity services used to verify that a packet has not been altered or tampered with during transmission.
10 Fragmentation may be prevented either by modifying each hosts MSS configuration to limit the size of any packets sent by clients, or by configuring IP Path MTU Discovery on each router to allow IPsec to dynamically modify permitted packet sizes. Fragmentation effects may be minimized by configuring the clearing of the DF bit within the original IP packet header and at the same time enabling the Cisco unique IPsec look-ahead fragmentation feature.