ipv6 alias resolution via induced fragmentation
play

IPv6 Alias Resolution via Induced Fragmentation Billy Brinkmeyer, - PowerPoint PPT Presentation

Sep 28, 2023 •267 likes •513 views

IPv6 Alias Resolution via Induced Fragmentation Billy Brinkmeyer, Robert Beverly, Matthew Luckie , Justin Rohrer Naval Postgraduate School CAIDA {wdbrinkm,rbeverly,jprohrer}@nps.edu mjl@caida.org February 6-8, 2013 ISMA 2013 AIMS-5 -

  1. IPv6 Alias Resolution via Induced Fragmentation Billy Brinkmeyer, Robert Beverly, Matthew Luckie ∗ , Justin Rohrer Naval Postgraduate School ∗ CAIDA {wdbrinkm,rbeverly,jprohrer}@nps.edu mjl@caida.org February 6-8, 2013 ISMA 2013 AIMS-5 - Workshop on Active Internet Measurements B. Brinkmeyer (NPS) AIMS-5 2013 1 / 23

  2. Background The Problem Problem Overview The Problem: What is the topology of the IPv6 Internet? We tackle initial work on the “alias resolution” problem for IPv6 to infer router-level topologies. Given two IPv6 addresses, determine whether they are assigned to different interfaces on the same physical router. B. Brinkmeyer (NPS) AIMS-5 2013 2 / 23

  3. Background The Problem Prior Work (IPv6) Prior Work (IPv6) All previous work relies on IPv6 source-routing (questionable long-term?). Waddington, et al. (2003): Atlas. Source-routed, TTL-limited UDP probe to y via x . Assuming v6 routing header processed first and ( x , y ) are aliases → receive “hop limit exceeded” and “port unreachable.” Qian, et al. (2010): Route Positional Method. Send TTL-limited UDP probe to self via x and y . If aliases → receive TTL expiration from x . Qian, et al. (2010): Same idea, but using invalid bit sequence in IPv6 option header. The Hacker’s Choice (THC) v6 attack toolkit: reduce IPv6 MTU. B. Brinkmeyer (NPS) AIMS-5 2013 3 / 23

  4. Background The Problem Prior Work (IPv6) Prior Work (IPv6) All previous work relies on IPv6 source-routing (questionable long-term?). Waddington, et al. (2003): Atlas. Source-routed, TTL-limited UDP probe to y via x . Assuming v6 routing header processed first and ( x , y ) are aliases → receive “hop limit exceeded” and “port unreachable.” Qian, et al. (2010): Route Positional Method. Send TTL-limited UDP probe to self via x and y . If aliases → receive TTL expiration from x . Qian, et al. (2010): Same idea, but using invalid bit sequence in IPv6 option header. The Hacker’s Choice (THC) v6 attack toolkit: reduce IPv6 MTU. B. Brinkmeyer (NPS) AIMS-5 2013 3 / 23

  5. IPv6 Alias Resolution IPv6 Fragmentation Eliciting Fragmented Responses We take inspiration from prior IPv4 IPID work But... no in-network fragmentation in IPv6 (push all work to end-hosts) If a router’s next hop interface’s MTU is less than the size of a packet, it sends an ICMP6 “packet too big” message to the source [RFC2460] End-host maintains destination cache state of per-destination maximum MTU End-hosts can fragment packets using an IPv6 fragmentation header B. Brinkmeyer (NPS) AIMS-5 2013 4 / 23

  6. IPv6 Alias Resolution Too-Big Trick Too-Big Trick Too-Big Trick “ IPv6 Alias Resolution via Induced Fragmentation ” (to appear: PAM 2013) I C M P 6 E c h o R e q 1 3 0 0 B , S e q = 0 3 0 0 B e s p 1 h o R M P E c I C IPv6 Interface Send a 1300 byte Prober ICMP6 echo request to router interface B. Brinkmeyer (NPS) AIMS-5 2013 5 / 23

  7. IPv6 Alias Resolution Too-Big Trick Too-Big Trick Too-Big Trick Induce a remote router to originate fragmented packets I C M P 6 E c h o R e q 1 3 0 0 B , S e q = 0 3 0 0 B e s p 1 h o R M P E c I C I C M P 6 T o o B i g Ignore response. Send I C M IPv6 Interface P 6 E c h o R e q 1 3 0 0 B , S e q = 1 ICMP6 packet-too-big Prober message. Send new ICMP6 echo request. B. Brinkmeyer (NPS) AIMS-5 2013 6 / 23

  8. IPv6 Alias Resolution Too-Big Trick Too-Big Trick Too-Big Trick Induce a remote router to originate fragmented packets I C M P 6 E c h o R e q 1 3 0 0 B , S e q = 0 3 0 0 B e s p 1 h o R M P E c I C I C M P 6 T o o B i g I C M IPv6 Interface P 6 E c h o R e q 1 3 Router replies with 0 0 B , S e q = 1 Prober fragmented ICMP6 e t = 0 , O f f s I D = x F r a g 2 3 2 s e t = 1 , O f f echo response. I D = x F r a g B. Brinkmeyer (NPS) AIMS-5 2013 7 / 23

  9. IPv6 Alias Resolution Too-Big Trick Too-Big Trick Too-Big Trick Induce a remote router to originate fragmented packets I C M P 6 E c h o R e q 1 3 0 0 B , S e q = 0 3 0 0 B e s p 1 h o R M P E c I C I C M P 6 T o o B i g Prober can elicit new I C M IPv6 Interface P 6 E c h o R e q 1 3 0 0 B , S e q = 1 fragment identifiers Prober e t = 0 , O f f s I D = x F r a g with each ICMP6 echo 2 3 2 s e t = 1 , O f f I D = x F r a g request. I C M P 6 E c h o R e q 1 3 0 0 B , S e q = 2 s e t = 0 1 , O f f D = x + r a g I F 2 = 1 2 3 O f f s e t x + 1 , I D = F r a g B. Brinkmeyer (NPS) AIMS-5 2013 8 / 23

  10. IPv6 Alias Resolution Results How Effective is TBT on the Internet? Efficacy of TBT Determine how many live IPv6 interfaces respond to TBT Determine in what way they respond Methodology: Single vantage point TBT probe 49,000 interfaces: 23,892 distinct IPv6 interfaces from CDN traceroutes (May, 2012) 25,174 distinct IPv6 interfaces from CAIDA (August, 2012) Includes IPv6 router interfaces in 2,617 autonomous systems Check for liveness Elicit 10 fragment IDs (20 total fragments) B. Brinkmeyer (NPS) AIMS-5 2013 9 / 23

  11. IPv6 Alias Resolution Results TBT Response Characteristics TBT Response Characteristics CDN CAIDA ICMP6 responsive 18486/23892 77.4% 18959/25174 75.3% Post-TBT unresp. 235/18486 1.3% 66/18959 0.4% Post-TBT nofrags 5519/18486 29.9% 5800/18959 30.6% Of interfaces responding to “normal” ICMP6 echo request: ≈ 30% do not send fragments after TBT ≈ 1% become unresponsive! B. Brinkmeyer (NPS) AIMS-5 2013 10 / 23

  12. IPv6 Alias Resolution Results TBT Response Characteristics TBT Response Characteristics CDN CAIDA TBT responsive 12732/18486 68.9% 13093/18959 69.1% TBT sequential 8288/12732 65.1% 9183/13093 70.1% TBT random 4320/12732 33.9% 3789/13093 28.9% Thus, ≈ 70% return fragment identifiers after TBT Of those: 65 − 70 % return sequential IDs ! (Unfortunately, not same as IPv4 ID) Remaining ≈ 30% use random IDs (confirmed as Juniper) B. Brinkmeyer (NPS) AIMS-5 2013 11 / 23

  13. IPv6 Alias Resolution Results Initial Fragment Identifiers 30 30 25 25 Fraction of Responding Interfaces Fraction of Responding Interfaces 20 20 15 15 10 10 5 5 0 0 1 1 2 0 3 0 2 1 3 4 5 2 0 4 1 9 1 1 2 1 0 2 3 1 0 3 1 0 4 2 3 4 1 0 1 1 1 2 1 2 2 1 3 1 2 1 3 1 1 4 2 2 2 1 5 3 Initial Fragment ID Initial Fragment ID CDN CAIDA ≈ 25% of interfaces responded with fragment ID=1 after first probe These routers sent no fragmented traffic prior to our probe! Observe: modes at multiples of 10. Naturally discovering aliases! B. Brinkmeyer (NPS) AIMS-5 2013 12 / 23

  14. IPv6 Alias Resolution Algorithm IPv6 Alias Resolution Algorithm IPv6 Alias Resolution using TBT: IPv6 control plane traffic does not “spin” counter (unlike IPv4) Can reasonably expect IPv6 identifiers to have no natural velocity over probing interval IPv6 fragment identifiers are 32-bit (unlike IPv4) Caveats Many routers will have low fragment identifiers Fragment counter may be the same for many routers Intuition: cause counters of non-aliases to diverge Probe candidate pair ( A , B ) at different rates B. Brinkmeyer (NPS) AIMS-5 2013 13 / 23

  15. IPv6 Alias Resolution Algorithm IPv6 Internet Alias Resolution Controlled Environment Used GNS3 to build a virtualized 26-node Cisco network running IOS 12.4(20)T Found that Cisco uses sequential IPv6 fragment IDs Validated TBT and algorithm: 100% accuracy (f-score = 1.0) in finding 92/92 aliases (1584/1584 non-aliases) IPv6 Internet Alias Resolution Worked with a commercial service provider to get ground-truth on 8 physical routers in production Each of 8 routers has 2-21 IPv6 interfaces Using TBT, correctly identified 808/808 true aliases, with no false positives B. Brinkmeyer (NPS) AIMS-5 2013 14 / 23

  16. Current Work Large-Scale IPv6 Alias Resolution Large-Scale IPv6 Alias Resolution PAM paper only demonstrates technique and feasibility Algorithm in PAM paper is inefficient: O ( N 2 ) . Instead, NPS/CAIDA have begun investigating a new algorithm (ask us for details). B. Brinkmeyer (NPS) AIMS-5 2013 15 / 23

  17. Current Work Large-Scale IPv6 Alias Resolution Initial Controlled Large-Scale Testing Again, used GNS3: 26 virtual routers naïve TBT LS-TBT Savings Pings 8968 222 98% Time 36:33 4:24 ≈ 1/10 time Aliases 54/54 54/54 - Promising start Work proceeding on Internet-wide probing B. Brinkmeyer (NPS) AIMS-5 2013 16 / 23

  18. Summary Summary Summary: New fingerprinting-based IPv6 alias resolution technique Internet-wide probing of ≈ 49 , 000 live IPv6 interfaces, 70% of which respond to our test Validation of technique on subset of production IPv6 network ScaPy implementation: http://www.cmand.org/tbt (Now implemented in scamper; ask mjl) Eventual plan: release v6 aliases as part of CAIDA ITDK Thanks! From audience: Better understanding of our TBT-induced failures? Any other v6 networks for ground-truth evaluation? Thoughts on v4/v6 associations for routers? B. Brinkmeyer (NPS) AIMS-5 2013 17 / 23

  19. Backup Slides B. Brinkmeyer (NPS) AIMS-5 2013 18 / 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IPv6 Alias Resolution via Induced Fragmentation Billy Brinkmeyer, Robert Beverly, Matthew Luckie

IPv6 Alias Resolution via Induced Fragmentation Billy Brinkmeyer, Robert Beverly, Matthew Luckie

IPv6 Alias Resolution via Induced Fragmentation Billy Brinkmeyer, Robert Beverly, Matthew Luckie , Justin Rohrer Naval Postgraduate School CAIDA {wdbrinkm,rbeverly,jprohrer}@nps.edu mjl@caida.org March 18-19, 2013 PAM 2013 - 14th

718 views • 23 slides
Large Scale IPv6 Alias Resolution Matthew Luckie Overview IP-ID based alias resolution

Large Scale IPv6 Alias Resolution Matthew Luckie Overview IP-ID based alias resolution

Large Scale IPv6 Alias Resolution Matthew Luckie Overview IP-ID based alias resolution techniques IP-ID used in reassembly to identify fragments that belong to same packet. Commonly implemented as a counter in IPv4 (and v6) ally

371 views • 15 slides
UAv6: Alias Resolution in IPv6 Using Unused Addresses Ramakrishna Padmanabhan, Zhihao Li ,

UAv6: Alias Resolution in IPv6 Using Unused Addresses Ramakrishna Padmanabhan, Zhihao Li ,

UAv6: Alias Resolution in IPv6 Using Unused Addresses Ramakrishna Padmanabhan, Zhihao Li , Dave Levin, and Neil Spring University of Maryland, College Park, MD { ramapad,zhihaoli,dml,nspring } @cs.umd.edu As the IPv6 Internet grows, alias

328 views • 12 slides
Speedtrap: Internet-Scale IPv6 Alias Resolution Matthew Luckie (CAIDA / UC San Diego) Robert

Speedtrap: Internet-Scale IPv6 Alias Resolution Matthew Luckie (CAIDA / UC San Diego) Robert

Speedtrap: Internet-Scale IPv6 Alias Resolution Matthew Luckie (CAIDA / UC San Diego) Robert Beverly (NPS) Billy Brinkmeyer (NPS) kc claffy (CAIDA / UC San Diego) Overview Alias resolution (IPv4 and IPv6) Speedtrap: IPv6

557 views • 22 slides
Techniques for better alias resolution in Internet topology discovery Santiago Garcia Jimenez

Techniques for better alias resolution in Internet topology discovery Santiago Garcia Jimenez

Techniques for better alias resolution in Internet topology discovery Santiago Garcia Jimenez Eduardo Magaa lizarrondo Daniel Morato Oses Mikel Izal Azkarate Index Introduction Existing techniques for alias resolution New techniques for

848 views • 41 slides
1 What Can Alias? (cont) Alias Analysis Arrays Goal: Statically identify aliases do b[c[i 1 ]]

1 What Can Alias? (cont) Alias Analysis Arrays Goal: Statically identify aliases do b[c[i 1 ]]

Alias Analysis Aliasing Last time What is aliasing? Midterm When two expressions denote the same mutable memory location e.g., p = new Object; Today q = p; * p and * q alias Alias analysis (pointer analysis) How do aliases

162 views • 5 slides
ATTACKING IPV6 IMPLEMENTATION USING FRAGMENTATION Antonios Atlasis, antonios.atlasis@cscss.org

ATTACKING IPV6 IMPLEMENTATION USING FRAGMENTATION Antonios Atlasis, antonios.atlasis@cscss.org

ATTACKING IPV6 IMPLEMENTATION USING FRAGMENTATION Antonios Atlasis, antonios.atlasis@cscss.org Centre for Strategic Cyberspace + Security Science Bio Independent IT Security analyst and researcher. Over 20 years of diverse Information

1.11k views • 82 slides
Playing with Maya thru MEL/ API Min Gyu Choi Kwangwoon University Alias Maya Alias|Wavefront

Playing with Maya thru MEL/ API Min Gyu Choi Kwangwoon University Alias Maya Alias|Wavefront

Playing with Maya thru MEL/ API Min Gyu Choi Kwangwoon University Alias Maya Alias|Wavefront Maya is one of the greatest and most complex computer programs ever made. Alias Maya Alias Maya Maya has many features as default. Maya

898 views • 65 slides
Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias,

Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias,

Alias Analysis Last time Alias analysis I (pointer analysis) Address Taken FIAlias, which is equivalent to Steensgaard Today Alias analysis II (pointer analysis) Anderson Emami Next time Midterm review CS553

207 views • 8 slides
IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer

IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer

Outline IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer Science and IPv6 Autoconfiguration Institute of Communications Engineering National Tsing Hua University jcchen@cs.nthu.edu.tw

783 views • 11 slides
Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer

Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer

Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer analysis) CS553 Lecture Alias Analysis I 1 Aliasing What is aliasing? When two expressions denote the same mutable memory location e.g.,

812 views • 19 slides
Combining electron counting and beam-induced motion correction to achieve near atomic resolution

Combining electron counting and beam-induced motion correction to achieve near atomic resolution

Combining electron counting and beam-induced motion correction to achieve near atomic resolution single particle cryoEM David Agard and Yifan Cheng Department of Biochemistry & Biophysics University of California San Francisco NRAMM

331 views • 4 slides
Analysis of induced microseismic events Analysis of induced microseismic events from HDR/EGS

Analysis of induced microseismic events Analysis of induced microseismic events from HDR/EGS

Analysis of induced microseismic events Analysis of induced microseismic events from HDR/EGS reservoirs by super from HDR/EGS reservoirs by super resolution mapping techniques resolution mapping techniques H. Asanuma*, Y. Kumano*, H.

509 views • 24 slides
Alias Analysis Last time Reuse optimization Today Alias analysis (pointer analysis)

Alias Analysis Last time Reuse optimization Today Alias analysis (pointer analysis)

Alias Analysis Last time Reuse optimization Today Alias analysis (pointer analysis) Next time More alias analysis (pointer analysis) CS553 Lecture Alias Analysis I 2 Aliasing What is aliasing? When two expressions denote

265 views • 8 slides
IPv6 (Internet Protocol version 6) APNIC meeting, 3 September 2002 Internet Initiative Japan,

IPv6 (Internet Protocol version 6) APNIC meeting, 3 September 2002 Internet Initiative Japan,

IPv6 (Internet Protocol version 6) APNIC meeting, 3 September 2002 Internet Initiative Japan, Inc. / KAME Project Keiichi SHIMA <keiichi@iij.ad.jp> Contents Why do we use IPv6? IPv6 Addresses Link-layer address resolution

1.55k views • 116 slides
Internet Evolution and IPv6 Paul Wilson APNIC 1 Where are IPv6 addresses today? 2 IPv6

Internet Evolution and IPv6 Paul Wilson APNIC 1 Where are IPv6 addresses today? 2 IPv6

Internet Evolution and IPv6 Paul Wilson APNIC 1 Where are IPv6 addresses today? 2 IPv6 Global allocations by RIR APNIC 337 21% RIPENCC 737 45% ARIN 438 LACNIC AFRINIC 27% 87 37 5% 2% Unit: IPv6 pref i x 3 IPv6

603 views • 24 slides
Closeout: Will You Be Ready? 2018 CDBG-DR Problem Solving Clinic Atlanta, GA | D e c e m b e r

Closeout: Will You Be Ready? 2018 CDBG-DR Problem Solving Clinic Atlanta, GA | D e c e m b e r

Closeout: Will You Be Ready? 2018 CDBG-DR Problem Solving Clinic Atlanta, GA | D e c e m b e r 1 2 - 1 4 , 2 0 1 8 2018 CDBG-DR PROGRAM Welcome & Speakers Session Objectives Provide guidance on how to prepare for closeout and

383 views • 15 slides
Likelihood-based estimation, model selection, and forecasting of integer-valued trawl processes

Likelihood-based estimation, model selection, and forecasting of integer-valued trawl processes

Likelihood-based estimation, model selection, and forecasting of integer-valued trawl processes Almut E. D. Veraart Imperial College London New Results on Time Series and their Statistical Applications CIRM Luminy, 14-18 September 2020 1 / 25

440 views • 25 slides
Almost-sure hedging under permanent price impact Y.Zou Universit e Paris Dauphine April 20,

Almost-sure hedging under permanent price impact Y.Zou Universit e Paris Dauphine April 20,

Almost-sure hedging under permanent price impact Y.Zou Universit e Paris Dauphine April 20, 2016 Y.Zou (Universit e Paris Dauphine) JPS les Houches April 20, 2016 1 / 16 Outline 1 Introduction 2 Process dynamics and hedging problems

585 views • 31 slides
Lecture 4 Mojtaba Soltanalian- UIC msol@uic.edu http://msol.people.uic.edu Based on ECE 531

Lecture 4 Mojtaba Soltanalian- UIC msol@uic.edu http://msol.people.uic.edu Based on ECE 531

Detection and Estimation Theory Lecture 4 Mojtaba Soltanalian- UIC msol@uic.edu http://msol.people.uic.edu Based on ECE 531 Slides- 2011 (Prof. Natasha Devroye) Estimation: a first example Estimate the DC level, A, of a signal given noisy

773 views • 14 slides
Risky Business? A Firm Level Analysis of Chinese Outward Direct Investments Weiyi Shi UC San

Risky Business? A Firm Level Analysis of Chinese Outward Direct Investments Weiyi Shi UC San

Risky Business? A Firm Level Analysis of Chinese Outward Direct Investments Weiyi Shi UC San Diego and Tsinghua University September 23, 2013 Are Chinese Investors Drawn to Risks? Preliminary evidence suggests that Chinese companies tend

420 views • 15 slides
IESG Operations - Behind the Drafts Bill Fenner IETF 62 - Minneapolis, MN What is this data?

IESG Operations - Behind the Drafts Bill Fenner IETF 62 - Minneapolis, MN What is this data?

IESG Operations - Behind the Drafts Bill Fenner IETF 62 - Minneapolis, MN What is this data? From I-D Tracker dumps since 2003 Raw data: http://rtg.ietf.org/~fenner/iesg/data/ https://rtg.ietf.org/phpmyadmin/ (login ietf,

308 views • 8 slides
Natural Language Processing Lecture 9: Hidden Markov Models Finding POS Tags Bill directed

Natural Language Processing Lecture 9: Hidden Markov Models Finding POS Tags Bill directed

Natural Language Processing Lecture 9: Hidden Markov Models Finding POS Tags Bill directed plays about English kings Running Example Bill directed plays about English kings PropN Verb PlN Prep Adj Adj Verb PlN Verb Adv

682 views • 26 slides
Math 140 The values of a summary statistic (e.g. the Introductory Statistics average age of the

Math 140 The values of a summary statistic (e.g. the Introductory Statistics average age of the

Visualizing Distributions Recall the definition: Math 140 The values of a summary statistic (e.g. the Introductory Statistics average age of the laid-off workers) and how often they occur. Four of the most common basic shapes :

317 views • 21 slides

More recommend