Q-5.

(a) What are the issues with using a security system that utilizes a
common preshared key? (3 marks)
Everyone has the same key.
As number of users grow -- security risk grows.
One machine compromised -- stolen--user gives key away.
Large amount of potential info to exploited




(b) Describe a method whereby two parties can share a secret over an
unsecured
channel without those parties having prior knowledge of each other. (6 marks)

The system that initiates the HIP exchange is called the Initiator, and the peer is the
Responder. The Initiator and Responder establish a shared secret for their
communication
using the Diffie-Hellman (D-H) key exchange4, a protocol that makes it possible for
two parties that have no prior knowledge of each other to establish such a shared
secret:
1. The Initiator sends a packet containing its HIT to the Responder.
2. The Responder answers by sending a puzzle (a cryptographic challenge), D-H
parameters,
a signature of part of the message using the HI, and the HI itself.
3. The Initiator verifies the signature, computes the answer to the puzzle, and sends
the
latter along with the D-H parameter, a signature over part of the message using its
HI, and its HI to the Responder.
4. The Responder verifies the answer to the puzzle and sends a signed message
back to
the Initiator. The signature is verified by the Initiator


(c) A GSM network is an example of a network that only provides for one-way
authentication (the network authenticates the mobile user/node).
(i) What are the dangers of such an authentication system? (2 marks)
(ii) Give another example of a system that also only utilizes a one-way authentication
system. (2 marks)


(d) What is the purpose of the IEEE 802.1x framework? (4 marks)

802.1X and EAP
The IEEE 802.1X standard defines a framework for access control to a local-area network
by encapsulating Extensible Authentication Protocol (EAP) messages. Wireless security
standards such as WPA (Wi-Fi Protected Access) and WPA2 use 802.1X and EAP.
Figure 3-3 illustrates an 802.1X authentication. 802.1X defines three entities:
The supplicant is a piece of code that runs on the user device.
The authenticator is the device that gives the device network access; in Wi-Fi, this is
the access point.
The authentication server (typically a RADIUS server) verifies the user credentials in
some sort of user database and informs the authenticator of the outcome.



(e) One of the befits of SCTP is that its initiation procedure mitigates against a
SYN flooding attack.

(i) Describe how a SYN flooding attack works. (4 marks)

A SYN flooding attack occurs when an attacker generates false TCP setup messages
to a destination node. In TCPs three-way handshake mechanism, the receiver of the
initial message, termed a SYN, is required to save state information and allocate resources,
such as memory, for a Transmission Control Block (TCB), prior to sending a response,
termed a SYN-ACK. Because the attacker has no capability to establish a session, it does
not respond to this SYN-ACK message, and eventually the receiver will remove the
associated TCB. However, if the attacker sends SYN messages at a rapid enough rate, the
TCP server can consume all available resources responding to these false TCP setup
messages. In such an overload scenario, the TCP server is unable to process legitimate TCP
requests.

(ii) How does the SCTP association initiation procedure protect against a SYN
attack? (4 marks)
While TCP relies on a three-way handshake for session setup, SCTP uses a four-message
sequence to build an association. By using a four-way handshake, SCTP avoids the common
denial of service (DoS) attack known as SYN flooding.



Q-2. (a) Describe the challenges of providing seamless mobility as opposed to
nomadic mobility in data networks. (6 marks)
Mobile Internet access that does not require session persistence is also called nomadic or
roaming access. Rather than focusing on session persistence, nomadic access focuses on
seamless access to different networks. That is, the user doesnt have to go through
administrative or reconfiguration hassles to get connected when arriving at a new location,
but sessions will not necessarily stay up.

There is a certain degree of mobility in the Internet today. A subscriber to a major ISP such
as AOL or Earthlink can move from one city to another and essentially have connectivity and
the same set of services available everywhere. This is generally referred to as "nomadicity."
With nomadic mobility, users have to shut down an application or a session and restart it
when they connect at the new point of attachment. For many users of the current Internet
this type of mobility is sufficient, but wireless data networks bring the potential for an
enhanced mobility experience. Nomadic mobility is also referred to as "roaming."
Seamless mobility is achieved when the session continuity is maintained even as the mobile
device changes its point of attachment or interface type. So a mobile node could be moving
from a fixed Ethernet 802.3 connection or interface to an IEEE 802.11 wireless LAN (WLAN)
interface and further on into a wide-area cellular interface such as GPRS/W-
CDMA/cdma2000. An excellent example of everyday seamless connectivity is in cellular
networks that support voice on a device traveling at vehicular speeds of up to 75 mph.



(b) Describe four different approaches for maintaining session persistence in
mobile networks. (12 marks)

Accept that application sessions are bound to a transport session
Easy approach.
Applications sessions are dropped when the point of attachment
changes.
OK for a lot of applications email, some web browsing .
Mobile Internet access that does not require persistence is called
nomadic or roaming access.
Introduce an application layer session persistence mechanism that is not
bound to the transport layer session
Cookies.
Using domain name instead of IP address for the host at the application layer.
Need to update DNS when host moves to a new network

Introduce an application layer session persistence mechanism that is not
bound to the transport layer session
Cookies.
Using domain name instead of IP address for the host at the application layer. Need
to update DNS when host moves to a new network

Redesign the TCP/IP protocol stack to achieve separation of locators and
endpoint identifiers:
A more fundamental approach is to redesign the TCP/IP protocol stack to achieve
separation of locators and identifiers; that is, to have different entities describing the
location of a node and the node itself, instead of having the IP address being
involved in both roles




(c) A current network design paradigm can be summed up in the phrase
everything
over IP. Discuss the advantages and disadvantages of an all-IP approach. (5
marks)

The pivot point of TCP/IP-based communications is the Internet Protocol (IP) that is
used to transport packets from source to destination
IP shields the underlying network technology from the applications that run on the
network In other words, when a new data-link transport technology is developed,
ensuring that IP runs on top of it will allow all existing applications to be used.
Furthermore, when an application developer makes sure that his or her application
uses IP packets for communication between nodes, it will automatically work on all
IP networks.
This abstraction layer that IP provides between the transport layer and the
applications is perhaps the single most important reason why the Internet has
become so dominant



(d) What application of mobile networks is the driving force behind the ever greater
need for higher data rates?



Q-4. (a) Describe how Mobile IP allows for TCP session persistence. (4 marks)

The goal of IP Mobility is to maintain the TCP connection between a mobile host and a static host
while reducing the effects of location changes while the mobile host is moving around, without having
to change the underlying TCP/IP protocol. To solve the problem, the RFC allows for a kind of proxy
agent to act as a middle-man between a mobile host and a correpondent host.
A mobile node has two addresses - a permanent home address and a care-of address (CoA), which
is associated with the network the mobile node is visiting. Two kinds of entities comprise a Mobile IP
implementation:
A home agent (HA) stores information about mobile nodes whose permanent home address is in
the home agent's network. The HA acts as a router on a MHs home network which tunnels
datagrams for delivery to the MH when it is away from home, maintains a location directory (LD)
for the MH.
A foreign agent (FA) stores information about mobile nodes visiting its network. Foreign agents
also advertise care-of addresses, which are used by Mobile IP. If there is no foreign agent in the
host network, the mobile device has to take care of getting an address and advertising that
address by its own means. The FA acts as a router on a MHs visited network which provides
routing services to the MH while registered. FA detunnels and delivers datagrams to the MH that
were tunneled by the MHs HA
The so called Care of Address is a termination point of a tunnel toward a MH, for datagrams
forwarded to the MH while it is away from home.
Foreign agent care-of address: the address of a foreign agent that MH registers with
co-located care-of address: an externally obtained local address that a MH gets.
Mobile Nodes (MN) are responsible for discovering whether it is connected to its home network or has
moved to a foreign network. HAs and FAs broadcast their presence on each network to which they
are attached. They are not solely responsible for discovery, they only play a part. RFC 2002 specified
that MN use agent discovery to locate these entities. When connected to a foreign network, a MN has
to determine the foreign agent care-of-address being offered by each foreign agent on the network.
A node wanting to communicate with the mobile node uses the permanent home address of the
mobile node as the destination address to send packets to. Because the home address logically
belongs to the network associated with the home agent, normal IP routing mechanisms forward these
packets to the home agent. Instead of forwarding these packets to a destination that is physically in
the same network as the home agent, the home agent redirects these packets towards the remote
address through an IP tunnel by encapsulating the datagram with a new IP header using the care of
address of the mobile node.
When acting as transmitter, a mobile node sends packets directly to the other communicating node,
without sending the packets through the home agent, using its permanent home address as the
source address for the IP packets. This is known as triangular routing or "route optimization" (RO)
mode. If needed, the foreign agent could employ reverse tunneling by tunneling the mobile node's
packets to the home agent, which in turn forwards them to the communicating node. This is needed in
networks whose gateway routers check that the source IP address of the mobile host belongs to their
subnet or discard the packet otherwise. In Mobile IPv6 (MIPv6), "reverse tunneling" is the default
behaviour, with RO being an optional behaviour.




(b) In figure 4-e, MN supports Mobile IPv4. When it roams to a foreign network
it is assigned the care-of-address 92.42.91.100 by FA. MNs home address is
147.65.21.31 and its Home Agent is HA with IP address of 147.65.21.6.
(i) In this scenerio how many IP packet headers will be present in a packet
sourced from CN as the packet transits from HA to FA? (1 mark)
(ii) Based on your answer to part 4(b)i, give the source and destination addresses
for each packet header. (2 marks)
(iii) If reverse-tunnelling is not implemented, describe the manner in which
packets will be forwarded from MN to CN. (2 marks)
(iv) What issue can result from not using reverse-tunnelling? (3 marks)

If reverse tunnelling is not used, the source address of a packet sent by the MN will be the
MN's home address

(v) If reverse-tunnelling is used, give the source and destination address of all
IP packet headers in a packet sourced from MN destined for CN as the
packet transits from FA to HA. (2 marks)

(c) Why does Mobile IPv6 (MIPv6) not require a foreign agent? (2 marks)

Neighbour Discovery and Address Auto-configuration features enable mobile nodes to function in
any location without the services of any special router in that location.

(d) In relation to MIPv6, what is optimized routing and what IPv6 features does it
utilize? (6 marks)

In router optimization mode the MN use its CoA.
This should break the TCP session
The Destination Option Header allows the inclusion of the home address.
The layer above (TCP) sees the home address not the CoA address so the session is not broken.
Both ends must support MIPv6


(e) One way to connect to the IPv6 Internet, when your ISP only supports IPv4, is
to use an IPv6 tunnel broker. In this scenerio why is IPv6 packets tunnelled in
UDP rather than directly in IPv4? (3 marks)

To traverse NAT, most of the solutions, for IPv4 applications, are based on UDP
encapsulation of the IP packet. The same technique is used for IPv6 tunneling techniques
over IPv4 with the presence of NATs in the path. since the node behind the NAT cannot be
reached by the other party. One solution is to move up in the networking stack by
encapsulating IPv6 packets in UDP transport in IPv4 packets, The IP protocol is
connectionless as UDP, which makes UDP a better candidate for transport encapsulation
than TCP


A TCP connection is characterized by the IP addresses of both hosts involved in the
communication as well as the port numbers at both the source and destination.
Because a TCP connection is identified by an IP address and port number pair, a
host can communicate with multiple other hosts using the same port, as long as the
combination of IP address and port number is unique.
TCP packets (called segments) are much more complex than UDP packets. They
contain not only source and destination ports but also a sequence number (to
indicate the relative position in the data stream), an acknowledgment number (to
indicate the number of the next packet the sender expects), and so on. Figure 2-11
shows the structure of a TCP packet.