B, C, and D. The client must remember what operation it has
requested, in case it needs to repeat the request, so A is incorrect.
B, C, and D are all good examples of protocol statelessness. In
addition, all three apply to the server, emphasizing that the server
does not need to remember any protocol state, whether or not the
server itself maintains per-client state such as files.
A, B, and C. A and C apply for the same reason: the network layer
specifies that the network addresses it exposes to the end-to-end layer are
universal, and they can thus be used in payload data as well as in
arguments in calls to the network layer. A NAT has to know how to examine
payload data in order for it to find and translate all examples of network
addresses, but it is typically installed inside the network rather than at
an end point, so it must violate the layering abstraction. B applies
because the method of allocation of IP address blocks tends to waste
addresses and there is now a shortage. D is not correct; the NAT
specification does not call for any retransmission.
A, B, C, and D. A, since anchor text is often a good description of
the page at the other end of the link, Google indexes that text as if it
were found on the linked page. B, since by keeping word offsets, Google is
able to increase the rank of pages in which two words of a query are near
each other (there is some question as to whether Google keeps offsets of
stop words such as "the", so the "each" in answer B might render it
incorrect.) C, since the Page Rank computation is one of Google's primary
precision-improving features. D, since the font size of text tends to
provide information about its importance. According to reliable sources,
technique E is used by Google only on the first day of each April.
A and B. A and B are fundamental properties of capabilities and access
control lists, respectively. C is backwards; revocation of particular
permissions is easier in an access control list system, because there is
exactly one place to look for the information--in the access control list.
In a capability system it may be necessary to search all data accessible to
the principal to locate the capability. D is wrong; the permission bits
associated with a UNIX file are a form of access control list.
A. If one does not know the maximum propagation time of the Gnutella
network, there is no way to establish an upper bound on how long it might
take for all of the QueryHit messages to return. If the node ever deletes
a Query entry from its message table, it will incorrectly discard any later
QueryHits for that Query that come along and the client will never learn
that there are additional copies of the file available. In addition, the
original Query might return a second time to this node via a roundabout
path. If a Query returns after the node has deleted that Query's entry in
the message table, the node will broadcast it again to all its neighbors,
repeating the cycle, and that Query message will probably circulate
forever. By mutual exclusion, B, C, and D must be incorrect.
D. The counterexample in answer D is correct, so A and C must be
wrong. The question asks about path length, not speed, so the reasoning of
answer B is wrong.
B and C. B expresses the normal decrement of TTL on each hop. C
expresses the invariant relation between TTL and Hops: At each hop, TTL is
decremented and Hops is incremented. Answers A and D have no connection
with reality.
A. A null Query will induce a QueryHit in every node it passes
through, it will also be forwarded on to all other attached Gnutella nodes,
and the payload of a null QueryHit is identical to the payload of a Pong,
so the Ping/Pong pair is redundant. By mutual exclusion, answers B, C, and
D must all be wrong; in addition the reasons given in answers C and D
contradict the specifications.
A, C, and D all represent ways of partitioning the network with the
client C in one partition and the server S in the other partition. Because
there can be many paths between C and S, loss of a single node will not
usually be sufficient to partition the network, so B cannot be correct.
B and C. Because there can be many paths between a client and a
server, no single other node can deny service by discarding messages; even
a node containing the file cannot always deny service, since other nodes
may also have a copy. Thus A is excluded. D is excluded by the same
reasoning used in the answer to question 9. E is excluded because the
flood-control strategy of other nodes will discard messages they have
already seen, no matter what the value of the TTL.
Ben is right, but he is having trouble expressing the reason. To
protect against eavesdroppers requires a key-based reversible
transformation, and SHA-1 is neither key-based nor reversible. RC4 is both
key-based and reversible, so it can in principle do the job, assuming Ben
can come up with a secure way of delivering the shared-secret key to the
recipient of the file. (None of the answers should be circled, including
A--you can't compute anything from the output of SHA-1, even if you have
the original input available.)
E. Unfortunately, signing every payload and download does not prevent
any of these attacks. There are three problems: (1) Ben has not provided
a secure way to communicate the public key to the recipient of a download;
a malicious node can replace a self-signed public key in a Pong message
with a different self-signed public key. (2) Ben signed only the payload
of the Gnutella messages, so Gnutella headers are still vulnerable to
malicious changes. (3) Even if Ben had solved problems (1) and (2), the
resulting system isn't capable of withstanding any of the four specific
attacks. A malicious node could pursue attack A by sending its own public
key in a Pong message, responding with a false claim to a Query message,
and then sending a Bach fugue, signed with the corresponding private key,
in response to the download request. It could also pursue attack B,
because the recipient of a Query does not know even an insecurely
communicated public key needed to verify the integrity of that Query.
Attack C would still be possible because lost messages are undetectable,
whether or not they are signed. Attack D would still be possible because
the protocol still allows any node to claim it has any song.
