responsibilities of iana

The Internet Assigned Numbers Authority (IANA) is responsible for overseeing the global
coordination of key internet numbering systems. Its main responsibilities include:

IP Address Allocation: IANA manages the global pool of IPv4 and IPv6 addresses,
distributing them to the five Regional Internet Registries (RIRs) — such as ARIN, RIPE NCC,
APNIC, LACNIC, and AFRINIC — which then assign them to internet service providers and
organizations.

Domain Name System (DNS) Root Zone Management: IANA oversees the root zone of the
DNS, which involves maintaining the database of top-level domains (TLDs) like .com, .org,
.edu, and country-code TLDs (e.g., .uk, .jp). This includes coordinating updates, additions,
and changes to TLDs in collaboration with domain registries.

Protocol Parameter Assignment: IANA assigns and maintains protocol numbers and
parameters used in internet standards, such as port numbers (e.g., 80 for HTTP, 443 for
HTTPS) and other technical identifiers defined by the Internet Engineering Task Force
(IETF).

Tier 1 ISPs

●​ Definition: Tier 1 ISPs are the top level of the internet hierarchy. They own and
operate vast global backbone networks and have "settlement-free peering"
agreements with other Tier 1 providers, meaning they exchange traffic without
charging each other.
●​ Characteristics:
○​ They have direct access to the entire internet routing table without needing to
purchase transit services from other ISPs.
○​ Their networks span continents, often with undersea cables, large data
centers, and extensive fiber optic infrastructure.
○​ They serve as the core of the internet, connecting Tier 2 and Tier 3 ISPs to
the global network.
●​ Examples: Companies like AT&T, Verizon, Level 3 (now part of CenturyLink), NTT
Communications, and Tata Communications.
●​ Role: Tier 1 ISPs ensure global connectivity by linking regional networks and
providing the backbone that smaller ISPs rely on. Their peering agreements keep
data flowing efficiently across borders.

Tier 2 ISPs
 ●​ Definition: Tier 2 ISPs are regional or national providers that purchase transit
services from Tier 1 ISPs to connect to parts of the internet they don’t directly reach,
while also peering with other Tier 2 providers to reduce costs.
●​ Characteristics:
○​ They have significant network infrastructure but lack the global reach of Tier 1
ISPs.
○​ They often serve specific regions or countries, acting as intermediaries
between Tier 1 backbones and local Tier 3 ISPs.
○​ Peering agreements with other Tier 2 ISPs allow them to exchange traffic
directly, bypassing Tier 1 transit fees for some routes.
●​ Examples: Comcast, Vodafone, Cox Communications, or regional players like Bell
Canada.
●​ Role: Tier 2 ISPs bridge the gap between global backbones and local markets,
delivering connectivity to businesses and smaller ISPs while balancing cost and
coverage.

Tier 3 ISPs

●​ Definition: Tier 3 ISPs are local providers that focus on delivering internet access
directly to end users—individuals, households, and small businesses. They purchase
transit from Tier 2 or Tier 1 ISPs to connect to the broader internet.
●​ Characteristics:
○​ They have limited network infrastructure, typically confined to a city, town, or
specific area.
○​ They don’t usually peer with other ISPs because their scale doesn’t justify it;
instead, they rely entirely on upstream providers for connectivity.
○​ Services include broadband, DSL, fiber, or wireless internet for retail
customers.
●​ Examples: Small local ISPs like Sonic (in California), municipal broadband networks,
or rural providers like Rise Broadband.
●​ Role: Tier 3 ISPs are the "last mile" providers, ensuring end users get online. They
focus on customer service, local coverage, and affordable pricing rather than network
ownership.

How They Interact

●​ Traffic Flow: Data moves from Tier 3 (end user) up to Tier 2 or Tier 1 for
long-distance routing, then back down through the tiers to reach its destination.
●​ Economics: Tier 1 ISPs profit from selling transit to Tier 2, while Tier 2 ISPs sell to
Tier 3 or directly to customers. Tier 3 ISPs generate revenue from subscriptions.
●​ Scalability: The tiered structure allows the internet to scale efficiently, with each level
specializing in its scope—global, regional, or local.
In computer networks, fragmentation refers to the process of breaking down a large packet
into smaller pieces so that they can be transmitted over a network that has a smaller
maximum transmission unit (MTU). In IPv4, fragmentation can occur at both the source and
the routers along the path. If a router receives a packet that is larger than the MTU of the
next network segment, it can break the packet into smaller fragments. Each fragment is then
sent separately and reassembled at the destination. IPv4 headers contain fields such as
Identification, Flags, and Fragment Offset to manage fragmentation and reassembly.

On the other hand, IPv6 handles fragmentation differently. In IPv6, fragmentation can
only be done by the source device, not by routers along the path. If a packet is too large, the
source device must use a process called Path MTU Discovery to determine the smallest
MTU along the path to the destination and then fragment the packet accordingly before
sending it. IPv6 uses an Extension Header called the Fragment Header for this purpose.
This design improves the efficiency of routers and overall network performance, as routers
no longer need to spend time fragmenting packets.
10. Draw the IPv6 header structure and compare this header with IPv4
header in terms of Routing and Quality of Service. [Sub-question: IPv6
address calculation from MAC]

IPv6 Header Structure

The IPv6 header is simpler and more efficient than the IPv4 header, designed to improve
routing and support modern networking needs. Here’s a textual representation of the IPv6
header (since I can’t draw diagrams directly):

text
CollapseWrapCopy
0 12 20 32
+-------------------+-------------------+-------------------+
| Version (4 bits) | Traffic Class (8) | Flow Label (20) |
+-------------------+-------------------+-------------------+
| Payload Length (16 bits) | Next Header (8) | Hop Limit (8)
|
+-------------------+-------------------+-------------------+
| Source Address (128 bits) |
| |
+-------------------+-------------------+-------------------+
| Destination Address (128 bits) |
| |
+-------------------+-------------------+-------------------+

●​ Version (4 bits): Set to 6 for IPv6.

●​ Traffic Class (8 bits): Used for Quality of Service (QoS), similar to IPv4’s Type of
Service (ToS).
●​ Flow Label (20 bits): A unique feature for QoS, identifying packets in a flow for
special handling.
●​ Payload Length (16 bits): Length of the payload (excluding the header).
●​ Next Header (8 bits): Indicates the type of the next header (e.g., TCP, UDP, or
extension header).
●​ Hop Limit (8 bits): Replaces IPv4’s TTL; decremented by routers, packet discarded
if it reaches 0.
●​ Source Address (128 bits): Sender’s IPv6 address.
●​ Destination Address (128 bits): Receiver’s IPv6 address.

IPv4 Header Structure (for Comparison)

text
CollapseWrapCopy
0 8 16 32
+-------------------+-------------------+-------------------+
| Version | IHL | Type of Service | Total Length |
+-------------------+-------------------+-------------------+
| Identification | Flags | Fragment Offset |
+-------------------+-------------------+-------------------+
| Time to Live | Protocol | Header Checksum |
+-------------------+-------------------+-------------------+
| Source Address (32 bits) |
+-------------------+-------------------+
| Destination Address (32 bits) |
+-------------------+-------------------+
| Options (if any) + Padding |
+-------------------+-------------------+

Comparison: Routing

●​ IPv4:
○​ Uses a 32-bit address space, leading to address exhaustion and reliance on
NAT, complicating routing.
○​ Header includes a checksum, requiring routers to recompute it at every hop,
slowing routing.
 ○​ Options field (variable length) increases processing overhead, as routers
must parse it.
○​ Fragmentation is handled by routers, adding complexity to routing decisions.
●​ IPv6:
○​ 128-bit address space eliminates NAT, simplifying end-to-end routing
(question 18).
○​ No header checksum; modern link-layer protocols handle error detection,
speeding up routing.
○​ Fixed 40-byte header with no options field; optional data moved to extension
headers, processed only when needed.
○​ Fragmentation is eliminated from routers (question 11, 14); only the sender
fragments packets, reducing router load.

Routing Advantage in IPv6: Faster, simpler, and more scalable due to larger address
space and streamlined header processing.

Comparison: Quality of Service (QoS)

●​ IPv4:
○​ Uses the 8-bit Type of Service (ToS) field, later redefined as Differentiated
Services Code Point (DSCP) and Explicit Congestion Notification (ECN).
○​ Limited granularity for QoS; no mechanism to label packet flows explicitly.
●​ IPv6:
○​ Traffic Class (8 bits): Similar to IPv4’s ToS, supports DSCP and ECN for
prioritizing traffic.
○​ Flow Label (20 bits): A game-changer for QoS, allowing packets in a specific
flow (e.g., video streaming) to be tagged and handled consistently across
routers without deep packet inspection.

QoS Advantage in IPv6: The Flow Label provides finer control and efficiency for real-time
applications.

Sub-question: IPv6 Address Calculation from MAC

IPv6 can derive a 64-bit Interface Identifier (IID) from a 48-bit MAC address using the
EUI-64 process:

1.​ Take the MAC address (e.g., 00:1A:2B:3C:4D:5E).

2.​ Insert FF:FE in the middle: 00:1A:2B:FF:FE:3C:4D:5E.
3.​ Flip the 7th bit (Universal/Local bit) from 0 to 1: 02:1A:2B:FF:FE:3C:4D:5E.
4.​ Combine with a 64-bit network prefix (e.g., 2001:0db8::/64) to form the full IPv6
address: 2001:0db8::021a:2bff:fe3c:4d5e.

This is used in Stateless Address Autoconfiguration (SLAAC) to generate link-local or global

unicast addresses (question 17).

11. Advanced Features of IPv6 & Fragmentation

Advanced Features of IPv6

1.​ Larger Address Space: 128 bits vs. IPv4’s 32 bits (340 undecillion addresses).
2.​ Simplified Header: Fixed size, no checksum, faster processing (question 12).
3.​ No Fragmentation by Routers: Sender-only fragmentation (question 14).
4.​ Flow Label: Enhanced QoS support.
5.​ Built-in Security: IPsec support is mandatory (though optional in IPv4).
6.​ Autoconfiguration: SLAAC for easier address assignment (question 16).
7.​ Multicast Support: Replaces broadcast, improving efficiency (question 17).
8.​ No NAT Required: Restores end-to-end connectivity.

Fragmentation: IPv4 vs. IPv6

●​ IPv4:
○​ Routers and senders can fragment packets if they exceed the MTU
(Maximum Transmission Unit).
○​ Fields: Identification, Flags, Fragment Offset track fragments.
○​ Example: A 2000-byte packet over a 1500-byte MTU link:
■​ Fragment 1: Offset 0, 1500 bytes (MF=1).
■​ Fragment 2: Offset 187, 500 bytes (MF=0).
○​ Reassembly at the destination.
●​ IPv6:
○​ Only the sender fragments; routers drop oversized packets and send an
ICMP "Packet Too Big" message.
○​ Uses an Extension Header (Fragment Header): includes Identification,
Fragment Offset, and More Fragments (M) flag.
○​ Example: Same 2000-byte packet, MTU 1500:
■​ Sender fragments before transmission: Fragment 1 (Offset 0, MF=1),
Fragment 2 (Offset 187, MF=0).
○​ Reassembly at the destination.

Key Difference: IPv6 shifts fragmentation burden to endpoints, simplifying router tasks
(question 14).

14. Define Internet RFC & Fragmentation with Examples

Internet RFC

RFC stands for Request for Comments, a series of documents published by the Internet
Engineering Task Force (IETF). They define standards, protocols, and best practices for the
internet (e.g., RFC 2460 for IPv6). RFCs ensure interoperability and guide the internet’s
evolution (question 16).

Fragmentation Example

●​ IPv4: A 3000-byte packet over a 1000-byte MTU link:

○​ Fragment 1: Offset 0, 1000 bytes (MF=1).
 ○​ Fragment 2: Offset 125, 1000 bytes (MF=1).
○​ Fragment 3: Offset 250, 1000 bytes (MF=0).
●​ IPv6: Sender fragments similarly, but routers don’t intervene; they drop and notify if
MTU is exceeded.

17. IPv6 Address Types

1.​ Global Unicast: Public addresses (e.g., 2001:0db8::1), globally routable.

2.​ Link-Local: Auto-configured for local communication (e.g., fe80::1%eth0), scope
limited to the link.
3.​ Site-Local: Deprecated (was fec0::/10), intended for private networks.
4.​ Multicast: Group communication (e.g., ff02::1 for all nodes on link), scope varies
(link, site, global).

Pretty Good Privacy (PGP) is a cryptographic protocol for securing email communication,
developed by Phil Zimmermann in 1991. It provides confidentiality, authentication,
integrity, and non-repudiation using a hybrid of symmetric and asymmetric encryption.

This diagram illustrates the authentication-only process in PGP (Pretty Good Privacy).
Let's break it down into its two major sections: Source A (sender) and Destination B
(receiver), and walk through each step in detail.

🔐 Source A: Message Creation & Authentication

1.​ Message (M):​

○​ This is the original plaintext message to be sent by Source A.​

2.​ H (Hash Function):​

 ○​ The message M is passed through a hash function H (like SHA or MD5) to
produce a fixed-length hash value H(M).​

○​ This ensures integrity — if even one bit in M is altered, the hash will change.​

3.​ EP (Encrypt with Private Key):​

○​ The hash H(M) is then encrypted using the sender’s private key PR_a.​

○​ This encrypted hash serves as a digital signature.​

○​ Only the sender’s private key could have created this, allowing the receiver to
verify the sender's identity (authentication).​

4.​ Concatenation (||):​

○​ The original message M and the encrypted hash (digital signature) are
concatenated together.​

5.​ Z (Compression):​

○​ The combined data (message + signature) is compressed to reduce size and

improve transmission efficiency.​

6.​ Transmission:​

○​ The compressed package is sent through a communication channel to the

receiver (Destination B).​

🔓 Destination B: Message Reception & Authentication

1.​ Z⁻¹ (Decompression):​

○​ The receiver decompresses the received data to retrieve M and the encrypted
hash (digital signature).​

2.​ DP (Decrypt with Public Key):​

○​ The encrypted hash is decrypted using the sender’s public key PU_a.​

○​ This yields the original hash H(M) computed by the sender.​

○​ If the decryption fails, the digital signature is invalid.​

 3.​ Hashing Again:​

○​ The receiver hashes the received message M independently using the same
hash function H.​

4.​ Compare:​

○​ The newly computed hash is compared with the one obtained by decrypting
the signature.​

○​ If they match:​

■​ The message is authenticated — it was sent by the claimed sender

and has not been tampered with.​

○​ If not:​

■​ It implies that the message or signature has been altered, and

authentication fails.​

This diagram illustrates the Confidentiality Only process in PGP (Pretty Good Privacy) —
where the goal is to ensure that only the intended recipient can read the message, while
authentication is not enforced in this scenario.

Let’s walk through the entire process step-by-step:

🔐 Source A (Sender Side): Ensuring Confidentiality

 1.​ Message (M):​

○​ The sender starts with the plaintext message M.​

2.​ Z (Compression):​

○​ The message is compressed using a function Z to reduce its size before

encryption.​

○​ Compression is done before encryption because encrypted data is usually

not compressible.​

3.​ EC (Encrypt with Symmetric Key):​

○​ A random session key K is generated for symmetric encryption (e.g.,

AES, IDEA).​

○​ The compressed message is encrypted using this session key.​

4.​ EP (Encrypt Key with Public Key):​

○​ The session key K is then encrypted using the recipient's public key PU_b.​

○​ This ensures that only the recipient — who possesses the private key PR_b
— can decrypt the session key.​

5.​ Concatenation (||):​

○​ The encrypted session key and the encrypted message are combined into a
single package.​

6.​ Transmission:​

○​ This package is sent to the recipient.​

🔓 Destination B (Receiver Side): Decrypting the

Message
1.​ DP (Decrypt Session Key):​
 ○​ The encrypted session key is decrypted using the recipient's private key
PR_b to retrieve K .​

2.​ DC (Decrypt Message):​

○​ The encrypted message is decrypted using the symmetric session key K to

retrieve the compressed message.​

3.​ Z⁻¹ (Decompression):​

○​ Finally, the compressed message is decompressed to get back the original

plaintext M.​

Remote Access VPN

●​ Purpose: Allows individual users to securely connect to a private network from a

remote location.
●​ Use Case: Commonly used by employees working from home or traveling to access
company resources.
●​ How It Works: The user’s device connects to a VPN server via an encrypted tunnel,
granting access to internal network resources as if they were physically present.
●​ Example: A worker accessing a corporate intranet through a VPN client like Cisco
AnyConnect.

Site-to-Site VPN

●​ Purpose: Connects entire networks (e.g., branch offices) to a central network over
the internet.
●​ Use Case: Used by businesses to link multiple office locations securely.
●​ How It Works: Routers or gateways at each site establish a secure tunnel, allowing
seamless communication between networks without individual user intervention.
●​ Example: Connecting a company’s headquarters in New York to a branch in London.

PPTP (Point-to-Point Tunneling Protocol)

●​ Overview: One of the oldest VPN protocols, developed by Microsoft in the 1990s.
●​ Encryption: Uses 128-bit encryption with MS-CHAP v2 authentication.
●​ Speed: Very fast due to minimal overhead and weak encryption.
●​ Security: Outdated and vulnerable—known flaws like susceptibility to brute-force
attacks make it insecure by modern standards.
 ●​ Use Case: Rarely used today except in legacy systems or for speed-critical,
low-security tasks.
●​ Pros: High speed, wide compatibility.
●​ Cons: Weak security, easily cracked by modern tools.

L2TP/IPsec (Layer 2 Tunneling Protocol with Internet Protocol Security)

●​ Overview: Combines L2TP (for tunneling) with IPsec (for encryption), developed as
a successor to PPTP.
●​ Encryption: Supports up to 256-bit encryption via IPsec.
●​ Speed: Slower than PPTP due to double encapsulation (L2TP and IPsec headers).
●​ Security: Stronger than PPTP, but potential vulnerabilities exist (e.g., pre-shared key
leaks or NSA compromise rumors).
●​ Use Case: Common in commercial VPNs and mobile devices for balanced security
and compatibility.
●​ Pros: Decent security, widely supported.
●​ Cons: Slower, can be blocked by firewalls inspecting IPsec traffic.

IPsec (Internet Protocol Security)

●​ Overview: A standalone protocol suite often paired with other tunneling methods
(e.g., L2TP).
●​ Encryption: Offers 256-bit AES encryption in its strongest form.
●​ Speed: Moderate—depends on implementation and pairing.
●​ Security: Highly secure when configured properly, used in site-to-site VPNs.
●​ Use Case: Securing network-to-network communication or as part of hybrid
protocols.
●​ Pros: Robust security, flexible applications.
●​ Cons: Complex setup, potential performance overhead.

RADIUS Server

What is a RADIUS Server?

RADIUS (Remote Authentication Dial-In User Service) is a networking protocol and server
system designed to provide centralized authentication, authorization, and accounting
(AAA) services. Originally developed for dial-up internet access, it’s now widely used in
modern networks for managing user access to resources like VPNs, Wi-Fi networks, and
network devices.

How It Works

A RADIUS server acts as an intermediary between a client (e.g., a user’s device) and a
network service. Here’s the basic process:
 1.​ Authentication: Verifies a user’s identity using credentials (e.g., username and
password).
2.​ Authorization: Determines what the authenticated user is allowed to do (e.g.,
access specific resources).
3.​ Accounting: Logs user activity (e.g., session duration, data usage) for billing or
auditing.
●​ Client-Server Model: A RADIUS client (e.g., a VPN server or wireless access point)
sends requests to the RADIUS server, which processes them against a user
database (e.g., LDAP, Active Directory, or a local file).
●​ Protocol: Operates over UDP (ports 1812 for authentication, 1813 for accounting)
and uses a shared secret for secure communication between the client and server.

Key Features

●​ Centralized Management: Manages credentials and policies for multiple

devices/users from one server.
●​ Scalability: Supports large networks with many users or devices.
●​ Extensibility: Integrates with two-factor authentication (2FA), certificates, and other
security mechanisms.
●​ Encryption: Protects sensitive data (e.g., passwords) during transmission using the
shared secret.

Use Cases

●​ VPN Authentication: Ensures only authorized users connect to a corporate VPN.

●​ Wi-Fi Security: Used with WPA2/WPA3 Enterprise to authenticate users on wireless
networks.
●​ Network Device Access: Controls admin access to routers, switches, and firewalls.

Cache Array Routing Protocol (CARP)

What is Cache Array Routing Protocol?

The Cache Array Routing Protocol (CARP) is a protocol developed by Microsoft and later
adopted in various proxy server implementations to manage and distribute web caching
across an array of proxy servers. It’s designed to improve the efficiency of web content
delivery by intelligently routing requests to the most appropriate cache server in a cluster,
reducing redundancy and optimizing resource use.

Unlike the Common Address Redundancy Protocol (used for high availability), this CARP
focuses on web caching and load balancing for HTTP traffic.

How It Works

CARP uses a deterministic hashing algorithm to decide which proxy server in an array
should handle a specific web request. This ensures that cached content is stored and
retrieved efficiently across multiple servers without unnecessary duplication.
 ●​ Hashing Mechanism: CARP generates a hash value based on the requested URL
and the available proxy servers. The server with the highest hash score for a given
URL is responsible for caching and serving that content.
●​ Array Membership: All servers in the CARP array are aware of each other, and the
protocol dynamically adjusts as servers are added or removed.
●​ Client Interaction: Clients (e.g., browsers) or upstream proxies send requests to a
CARP-enabled system, which routes them to the appropriate server.

Key Features

●​ Deterministic Routing: Ensures the same URL is always cached on the same
server, minimizing cache duplication.
●​ Load Balancing: Distributes requests across the array based on the hash,
preventing any single server from being overwhelmed.
●​ Scalability: Easily scales by adding more proxy servers to the array without
disrupting existing caches.
●​ Fault Tolerance: If a server fails, CARP recalculates the hash to redistribute load
among remaining servers.

How It Operates

1.​ A client requests a webpage (e.g., http://example.com/page).

2.​ The CARP-enabled system (e.g., a proxy or load balancer) computes a hash using:
○​ The URL of the request.
○​ A list of available proxy servers (each assigned a unique identifier or weight).
3.​ The server with the highest hash value for that URL either serves the cached content
(if available) or fetches it from the origin server, caches it, and responds to the client.
4.​ Subsequent requests for the same URL are routed to the same server, ensuring
cache consistency.

Use Cases

●​ Web Proxy Arrays: Used in environments with multiple proxy servers (e.g., ISPs or
enterprises) to cache web content efficiently.
●​ Content Delivery: Improves performance for frequently accessed web resources by
reducing origin server load.
●​ Legacy Systems: Found in older Microsoft products like Proxy Server 2.0 or ISA
Server.

Example

Imagine an array of three proxy servers (S1, S2, S3). A request for
http://example.com/image.jpg is hashed:

●​ S1: Hash score = 85

●​ S2: Hash score = 92
●​ S3: Hash score = 77 S2, with the highest score, caches and serves the image. All
future requests for that URL go to S2 unless the array changes.
Implementations

●​ Microsoft Proxy Server: CARP was introduced in Microsoft Proxy Server 2.0 and
later in Internet Security and Acceleration (ISA) Server.
●​ Squid Proxy: The open-source Squid caching proxy supports CARP for array
configurations.
●​ Custom Solutions: Some organizations implement CARP-like logic in their load
balancers or caching systems.

Pros and Cons

●​ Pros:
○​ Reduces cache redundancy (each URL is cached only once).
○​ Efficient load distribution without complex state tracking.
○​ Transparent to clients—no need for client-side configuration.
●​ Cons:
○​ Less flexible than modern load balancers (e.g., NGINX, HAProxy) that use
round-robin or least-connections methods.
○​ If a server fails, cached content on that server becomes unavailable until
re-cached elsewhere.
○​ Outdated in many contexts, replaced by more advanced CDN technologies
(e.g., Akamai, Cloudflare).

CARP vs. Modern Alternatives

Compared to modern content delivery networks (CDNs) or load balancers, CARP is simpler
but less dynamic. CDNs use geographic proximity, real-time server health, and advanced
caching strategies, while CARP relies solely on its hash-based approach.