Q&A—The IETF and RFCs, How does

By J.D. Fulp Senior Lecturer, Naval Postgraduate School it work?

Discussion:

The worlds of networking, and network security are in a continuous

state of evolution. Getting up to speed on the existing technology, then
keeping up as they evolve is a daunting task. If you haven’t figured it
out already, you soon will see that once the underlying principles are
understood, the bulk of your effort will be directed at understanding the
details of a particular protocol in a particular application.

You may at some point in your thesis work, and/or future careers, need
to get answers regarding the behavior of one or more protocols (or
systems). Though textbooks and various online resources (Google, Wikipedia) may provide the
answers you seek, every IT professional should be familiar with the RFC (Request For Comments)
system that is at the heart of the Internet’s protocol world. RFCs provide the IT practitioner with a
one-stop resource for investigating the root source of (non-proprietary) protocol information. This can
be a handy tool when the data from other sources conflict or otherwise do not paint a clear picture.

In this Q&A you will visit the IETF web site, and poke around a bit… answering a few questions I’ve
posed along the way. Doing so should get you familiarized with the RFC system and instill confidence
in the information that can be obtained from it.

No answers are provided; however I do point you directly to the section/location where the answer is
found. You may collaborate with others in the class to confirm your answers. If you remain uncertain
of any answers you may ask me, but I would only expect that you have a few answers of which you are
uncertain; so please limit your questions to me to no more than 5 or so. I do not (and will not) provide
a complete solution set as it would inevitably end up posted somewhere, and hence defeat the
purpose/intent of actively looking through the IETF resources to find the answers.

Many of the items asked about below will also come up in lecture topics/discussion.

IETF/RFC Web Resource Summary:

http://www.ietf.org/  Home page for the Internet Engineering Task Force. Pretty much the “top of
the tree” with respect to this subject matter… just remember “ietf.org”, everything else can be reached
off of it.

http://www.ietf.org/rfc.html Link off of above that allows you to directly access an RFC if you know
its number

http://www.rfc-editor.org/ Another link off of the ietf.org link above. This is THE definitive
repository for all RFCs. You can do searches using words you expect will be in the RFC’s title.

Begin Questions:

Let’s start at the “top”, by going to www.ietf.org and accessing some overview information. Lots of
the “stuff” (protocols, equipment, etc.) that you and I use… and will use in the future, originate in the
collective “think-tank” that is the IETF.
<Questions 1 and 2 have been removed>

Near the top left of the IETF home page, click on the About the IETF link and read the new page.

Q3. What does each of these stand for?

ISOC: __________________________________________

IESG: ___________________________________________

IAB: ____________________________________________

Q4. What “organization” did the ISOC charter as the central coordinator for the assignment of unique
parameter values for Internet protocols?

Ans: _____________________________________________

A must read for anyone who wants some insight into the whole Internet, IETF, RFC, and general
networking community is The Tao of the IETF . You should find a link to this resource in the last
paragraph of the About the IETF page you’re currently on, but this (purple link in previous sentence)
link is active and should also take you to the Tao. Go to this resource and—at a minimum—read the
sections referenced by each question below so that you can answer the questions.

Q5. (from Sect. 2) Is the IETF a formal corporation with a board of directors, --or-- a loosely self-
organized group of volunteers? Ans: _______

Q6. (from Sect. 2) The IETF ( is / is not ) a traditional standards organization, although (all / many)
specifications that are produced become standards.

Q7. (from Sect. 2) Who said the following, which embodies one of the “founding beliefs” of the IETF:
"We reject kings, presidents and voting. We believe in rough consensus and running code".
Ans: ____________

Q8. (from Sect. 2) ( T / F ) The IETF “runs the Internet.”

Q9. (from Sect. 2.2.4) What organization is the “core registrar” for the IETF’s activities, and also the
“keeper of the root” of the domain name system? Ans:_______

Q10. (from Sect. 2.2.4) Which organization “oversees” IANA’s domain name and IP address
assignment functions? Ans: ________

Q11. (from Sect. 2.2.5) RFCs don’t get “revised”, instead they get _____________?
(Hint: it starts with an ‘o’)

Read Sect. 3.12.4. This is a short paragraph regarding research and may be of interest in your thesis
work or follow-on work elsewhere). This section mentions the IRTF.

Go to http://irtf.org (this link also sits at the bottom of the ieft.org home page) and just read the short
mission statement at the top of the page, then go to the bottom of the page to the section addressing
research groups.
Q12. IRTF stands for __________________________ and there are currently _____ (#) research
groups chartered.

Q13. (from Sect. 5) What does BOF stand for? _____________________ . In general, BOF meetings
are held in order to form (or decide to form) a __________________________.

Q14. (from Sect. 6.1) There are ____ kinds of RFCs, but only ____ are standards within the IETF.

Q15. (from Sect. 6.1) BCP stands for ________________________________.

Q16. (from Sect. 6.1) “The _____ (3-letter abbreviation) RFC sub-series was created to identify RFCs
that do in fact specify Internet standards.”

Q17. (from Sect. 6.4.4) According to this section, BCP____ (#) would be an excellent reading
reference for anyone looking for a relatively short (~42 pages) overview/review to augment a course in
network security.

Q18. (from Sect. 8.1) Name 4 (other) large standards bodies with which the IETF has some liaisons:

1. (Hint: ___-T): _____________________________________________________

2. (Hint: __3__): _____________________________________________________

Note: that this acronym is explained in Appendix A.4 of the Tao, also w3.org

3. (Hint: Uni______) : _________________________________________

4. (Hint: __S__/__E__): ___________________________________________

Note that the World Wide Web Consortium (W3C) is basically to Web-specific initiatives, what the
IETF (among others) is to the Internet.

Assume you are doing some forensic research on some “captured” IP packets. Specifically, a law
enforcement agency has asked you if there is any way to determine if any of the packets they have
captured are fragments of a single original packet. You remember that the IP protocol provides a
mechanism for fragmenting packets, but you do not remember how the destination host will know
which fragments belong to which original packet so that it can be re-constructed (i.e., de-fragmented).
If you can find the answer to this query, you will be able to answer the question posed by the law
enforcement agency. Assume you know that the RFC covering the IP protocol is RFC791
Go to rfc-editor.org and click on the RFC Search link, then enter 791 into the search window, then
continue clicking as necessary until you are looking at RFC 791. Find the section that covers Function
Description and then scroll to that page (7). Note that the RFC page numbers are found at the bottom
of each page.
Q19. After reading a few paragraphs in this section, you learn (near middle of page 8) that it is the
_________ field of the IP header that provides the common link among packet fragments. (Hint: “… to
ensure fragments of different datagrams are not mixed”)
Assume you’re beginning your thesis research and you do not know either the title or the number of an
RFC covering a particular protocol you are interested in; in fact you’re not even sure an RFC covers
the subject you’re interested in. In this case you might have some luck by browsing (or string
searching) the complete index of RFCs and looking for a title description that looks like a match.
Go back to rfc-editor.org and click on the RFC DATABASE. About half-way down the page you will
find a link to RFC index (latest first or earliest first order). Okay… now you know where to find the
complete list of IETF standards.
(Helpful hint: Use “Ctrl-F” when viewing a web page to get a quick “Find” window)
You are trying to get some details on the PPP protocol. From a somewhat dated text you learn that
RFC1331 discusses PPP. Using the RFC Index, scroll down to RFC1331 (or… use Ctrl-F to find it
along the left of the page).
Q20. Is this RFC the current RFC for PPP? ( YES / NO )

Q21. Which RFC replaced (obsoleted) RFC 1331 for PPP? RFC _____

Q22. Which is the most current (i.e., not obsoleted) RFC for PPP? RFC_____ (Hint: it is not RFC1548,
so look to see which RFC obsoleted RFC1548, then see if any RFC has obsoleted THAT RFC or not.)

Q23. In order to be thorough in your PPP research, you should also read RFC ______ which updates
the most recent PPP RFC. (For a self-check, the partial answer is RFC 2##3)
Q24. Take a look at RFC1180. What’s the title? ________________________
A very good review for someone who is “rusty” on the TCP/IP network protocol stack.
Q25. And finally, take a look at RFC2196. What’s the title? _________________________________
Future Security Managers (IAOs, IAMs, CSOs, etc.) may find this to be a nice overview.

Assume you are overseeing the setup of an isolated internet (note lower case ‘i’ vice upper case ‘I’ for
THE Internet) in support of an operation. You suggest the use of private IPs. Your network
administrator is relatively new and does not know what these addresses are, and quite frankly, you’ve
forgotten their actual addresses as well. Where do you get the answer? It is not likely that you
remembered the RFC number for this topic, so you need an RFC site that supports subject matter
search capability.

Go to http://www.rfc-editor.org/ and click on the RFC SEARCH link near the top of the page. In the
search window type a likely search string like “private ip” then click SEARCH. This should return a
few good candidates that you can further filter by reading the titles.

Q26. Which RFC do you reference to learn more about Address Allocation for Private Internets?
RFC ______

Go to page 4 of RFC 1918 (this is the answer to Q26) (recall that the pages are numbered at the
bottom).
Q27. What is the range of “class A” private IP addresses? _______________________
Q28. What is the mask in bit-count notation for the “class B” private IP space ? / ____

Q29. Do you see the relationship between the /12 mask, and the range 172.16.0.0--172.31.255.255?
If you do not... then convert both 16 and 31 (range of values in the 2nd octet) into an 8-bit binary
number, then look where the /12 network-host boundary occurs. Do you see the relationship now?
If not, hang on as you will learn/review more about subnetting in a later Q&A.
Go back to ietf.org , scroll to the bottom of the page and click on the link for the IANA.

Let’s say you are wondering if there is a multicast (class D) address registered to the Dow Jones. Click
on IP Addresses & AS Numbers (near middle of screen) then scroll down to and click on Internet
Protocol v4 Multicast Address Assignments. Type Ctrl-F then enter “Dow Jones” (without the
quotation marks).

Q30. What multicast address range is registered to the Dow Jones? _______________
(Note: When trying to denote a “range” of addresses, you may want to adopt the * wildcard
convention. Example: 1.2.3.0-1.2.3.255 is simplified to 1.2.3.*)

Now click the Back button on your browser once to return to http://www.iana.org/numbers/ . Read the
first four paragraphs on this page.

Q31. IPv4 addresses are expressed in dotted-decimal format; how are IPv6 addresses expressed?
Ans: ___________________

An interesting question: “Where does one obtain and IP address?” From paragraphs 3 & 4 you know
that the IANA is the ultimate “custodian” of the IP space, and that they allocate “pieces” of it.

Q32. Though the “end user” will likely obtain an IP (or range of them) from an ISP; from whom does
the ISP obtain IP addresses? Ans: _____, or _____, or _____ (all 3-letter acronyms)

Now click on the ARIN (American Registry for Internet Numbers) link found just to the right of the
little global map.

Let’s say a packet arrived on your network with a source IP address of 201.162.57.10, and you would
like to find out which registry “owns” this IP address? Find out by typing this address into the
SEARCH Whois search box found at the top right of the ARIN page.

Q33. According to the results, what “region” of the world has this IP address been allocated to?
_________________________________ . (Hint: LACNIC)

Note, we ran the Whois query from the ARIN (American Registry for Internet Numbers), but just
learned that this IP address comes from a “chunk” of IP space allocated to Latin American and the
Caribbean, and hence under the control of LACNIC.

Let’s now go to LACNIC (lacnic.net) and enter that same IP address (201.162.57.10) into the
LACNIC Whois search box. Now we see that this IP belongs to a range of IPs (201.162.0/18)
controlled by a cablevision company.

Q34. In what country is this cablevision company—and hence source IP address—from?

Ans: _______________ (Hint: Country code “MX”)

Let’s explore IANA a bit more. Go to the IANA’s Popular and Important Links page, then click on the
DNS Root Zone – Hints File link. We will discuss this later in the Section 1 course material, but for
now just note that you are basically looking at the “bootstrap” information that would need to be
“uploaded” into any non-root DNS server. That is… every non-root DNS server should know the IP
addresses of all of the root servers in order for the whole system to work seamlessly across all of
cyber-space.
Q35. From this link you see that there are ______ (#) roots, and they are “named” ___ (letter) through
___ (letter). Note: I asked for the number of “roots”, not the number of “root servers”. There are
many more than 13 root servers so that the information in each of the 13 roots can be replicated in
multiple locations for both speed and redundancy/security.

Go back to the IANA’s Popular and Important Links page, then click on the IPv4 Address Space link.
This gives you the big picture regarding the allocation of IP addresses worldwide! If you look at the
CIDR (Classless Inter-Domain Routing) annotation in the Prefix column, you will see /8 for all
allocations. Basically, this tells you that the IANA doles out class-A-sized chunks of the available IP
space to the various LIRs, NIRs, RIRs, agencies and organizations.

Go back to the IANA’s Popular and Important Links page, then click on the Port Numbers, and read
the first couple of sentences at the top of the page. For lecture review answer these questions:

Q36. Ports 0 through 1023 are the ____________ ports.

Q37. Ports 1024 through __________ are the “registered” ports.

Q38. The remaining ports are referred to as the __________ or __________

Note: The more common term for the ports above 49151 are “upper” or “ephemeral”. In class, I will
also use the term “client ports” for reasons that should be (or become) obvious.

Q39. What port is registered to TRIPWIRE (the file integrity check company)? ________ (Hint: Use
Ctrl-F to search for it.

Q40. Is this a well-known, registered, or dynamic port? ________________.

Q41. <Question removed>

And just so you don’t think that computer geeks don’t have a sense of humor, check out RFC1438.
http://www.rfc-editor.org/rfc/rfc1438.txt

Q42. According to this RFC, what is an SOB? _____________________________

Finally: I’d like you to take a look at RFC2460 (IPv6). We won’t have time to cover IPv6 specifics in
class, but IPv6 is on the way, so it is appropriate to gain some familiarity with this new, up-and-
coming, layer 3 protocol. Go to http://www.rfc-editor.org/rfc/rfc2460.txt

Here are some of the IPv6 highlights in question & answer form.

Q43. On page 2 (remember that pages are numbered at the bottom) we learn that IPv6 adds anycast to
the previously existing unicast, multicast and broadcast address types. Anycast is used to send a packet
to ____________________________.

The motivation/advantage/purpose of anycast is not made very clear in the RFC. Go to

http://www.tcpipguide.com/free/t_IPv6MulticastandAnycastAddressing-5.htm and read the four short
paragraphs describing anycast.

Q44. You now know that the “purpose” of anycast is succinctly described as
 a. “send to every member of this group.”
b. “send to every member subscribed to this IP.”
c. “send to any IP in this list of IPs.”
d. “send to the closest member of this group.”

If you don’t yet see an application for anycast… imagine that NPS runs 4 DNS servers spread
throughout the campus, all of which all maintain the same information. An NPS client machine
needing name resolution services (DNS) won’t care which of the four servers “serves” its request; only
that one of them do so. Ideally, it would be the closest (topologically-speaking) of the four.

Q45. Now go back to RFC2460 (http://www.rfc-editor.org/rfc/rfc2460.txt) On p.4 we see that the

minimum IPv6 header size is _____ bytes. (Note: it does not say directly... you must look at the
illustration to figure it out. Here is a hint.)

++
| |  this represents a single bit in a header… now count the # of bytes per row, then count
++ the number of rows comprising the header to obtain the answer

Q46. From the information on p.4, we also see that an IPv6 can carry a maximum payload (i.e., its
“payload length”) of _________ bytes. (Hint: look at the size of the “payload length” field, and also
read what “units” it is counting: bit? byte? multiple bytes? Also, recall that an “octet” is synonymous
with a “byte”)

Q47. On p.5 we see that IPv6 changes the name of IPv4’s TTL field to _____________ .

Q48. Near the bottom of p.6 and on to p.7, we see that only one IPv6 option header is intended to be
read and acted upon by intermediate nodes (i.e., routers) along a packet’s journey from source to
destination host. What option is that? _____________________________

On p.7 we see all of IPv6’s six possible extension headers (optional items that can be added by the
sender); note the last two. These are the two primary “services” provided by IPSec which we will
cover in detail in Section 6 of the course material. From this you can see the “native” (i.e., built-in
from the start vice added-on later) support that IPv6 has for IPSec (IP Security). For those who don’t
know, IPSec is the dominant suite of protocols and standards used to create layer 3 VPNs.

Q49. What are the last two options listed on p.7? ____________________ and
_______________________________________ .

One of these is designed to ensure you know with whom you are “talking” (an element of integrity),
and the other to ensure your “conversation” is kept confidential (confidentiality). For the most robust
protection, an IPSec-based VPN will have both features enabled.

Now jump to p.29 and read Section 8.4. Note how IPv6 is addressing the security issue raised by the
usage of the routing header (i.e., the IPv4 “source-routing” problem that will be discussed in class
later).

Q50. Under what conditions does the IPv6 standard say that it is OKAY to build a return packet that
employs the reverse of the routing header that was received?

If you think-through the Section 8.4 reading, I hope you can glean the intent of this protocol policy
decision. For example, if we were to “blindly” accept the reverse-path provided by the incoming
packet, withOUT being sure of the sender, we might be duped into allowing our packets to be routed
according to the wishes of an attacker. So, what’s the logical policy to deal with a received packet that
has a suggested route we follow in the reverse direction? Answer: a) Don’t reply with a routing header
at all (allow the routers to choose routing as is “normal”), b) Use a routing header that is “locally”
determined (if there is one), or c) Accept the return route only if the sender has been authenticated.
This last part (c) is the answer to Q50.

Now move back up to p.18, and read the first paragraph in Section 4.5.

Q51. Unlike IPv4, fragmentation in IPv6 is performed only by ___________________, not by

_____________ along a packet's delivery path.  This is another prudent protocol policy decision that
should help protect against DoS-style attacks that are based upon enroute packet fragmentation.

Now jump to p.22 and read the paragraph that starts with “If insufficient fragments are received....”
and the two paragraphs that follow it.

Q52. How long should an IPv6 host wait for all fragments to arrive before giving up on reassembly
and dropping all fragments received so far? _____ seconds. Waiting for a longer period increases the
likelihood of the host being DOS’ed (“Denial Of Service” used as a verb) by a malicious fragmenter: a
form of attack based upon the principle of resource exhaustion.

Q53. Think about why the RFC directs that fragments that are of “irregular” length (i.e., not a multiple
of 8 octets) yet have the ‘M’ (i.e., more fragments) flag set; should be discarded. Can you think of a
valid reason? _____________________________________________________________

Bottom line here regarding Q53, protocols need to be designed to more effectively identify/detect
behaviors that are intentionally--or even accidentally--likely to cause problems. Since a fragmented
packet is supposed to be fragmented at 8-byte “boundaries”, any fragment—except the last—that does
not fall on an 8-byte boundary is indicative of “foul-play” or bad software.)

When we get to Section 3 (Traffic Analysis) of the course notes, you will see how the RFC stipulation
for the receiving host to check for packets reassembling to more than 65,535 octets protects against a
known DoS attack (the “Fat Ping of Death”)

Read Section 5 that starts on p.24.

Q54. IPv6 requires that every “link” on the Internet have an MTU of >= _______ bytes. 1280

Q55. Do you remember from your previous networking courses what the meaning of “path MTU” is
(4th paragraph in Sect. 5). (This will be covered in lecture, but the ‘A’ student should Google an
answer to this)

Q56. Do you know, or can you think of how a host could “discover” the “path MTU” between itself
and some other host on the Internet? (This will be covered in lecture)

Q57. The IPv6 RFC states that nodes (must | may) accept fragmented packets that reassemble to 1500
or less octets; and that they (must | may) accept fragments that reassemble to more than 1500 octets.
(Choose “must” or “may” in each case. The answer is found in the 1st paragraph on p.25).
The above illustrates just one small example of how the “standards” often leave implementation details
up to the discretion of each system developer. This results in many differences among OSs that in turn
serve as “fingerprints” for the attacker who is trying to identify what OS version (and possibly
applications) is/are resident/running on a target computer.

That’s it.

Deliverable: Nothing is deliverable for this Q&A, but be ready to answer questions taken from it on
either a quiz or exam according to the course syllabus.