Testing the reachability of (new) address space Steve Uhlig Delft - - PowerPoint PPT Presentation

testing the reachability of new address space
SMART_READER_LITE
LIVE PREVIEW

Testing the reachability of (new) address space Steve Uhlig Delft - - PowerPoint PPT Presentation

Dec 08, 2022 183 likes •383 views

Testing the reachability of (new) address space Steve Uhlig Delft University of Technology Randy Bush Olaf Maennel University of Adelaide Internet Initiative Japan (IIJ) James Hiebert Matthew Roughan National Oceanic and Atmospheric

slide-1
SLIDE 1

Testing the reachability of (new) address space

Randy Bush

Internet Initiative Japan (IIJ)

Olaf Maennel

University of Adelaide

Steve Uhlig

Delft University of Technology

Matthew Roughan

University of Adelaide

James Hiebert

National Oceanic and Atmospheric Administration

slide-2
SLIDE 2

Outline

  • Problem statement
  • Checking reachability
  • Experiments
  • Conclusion
slide-3
SLIDE 3

Bogon Filters

  • ISPs often filter unallocated address space to

protect themselves from malicious attacks and unwanted traffic

  • Over time unallocated address space may become

allocated and legitimately announced address space...

  • Problem: Filters need to be updated but seem often

not to be

slide-4
SLIDE 4

Objective

  • Develop methodology that is capable of detecting

and locating bogon filters, filters that are blocking newly allocated address space

  • Advertise test and anchor prefixes from 4 probe-

sites: Seattle (USA), Munich (DE), Wellington (NZ), Tokyo (JPN)

  • Analyze reachability status of a newly allocated

prefix

slide-5
SLIDE 5

Terminology

  • Test-prefix: newly allocated prefix to be tested
  • Anchor-prefix: well-established prefix whose

reachability should be fine

  • Probe-site: router that announces both the test-

prefix and the anchor-prefix

Test-prefix Anchor-prefix

Internet

Probe- site

slide-6
SLIDE 6

Filters and Reachability

“The Internet”

x

slide-7
SLIDE 7

“The Internet”

x

Improving AS Coverage

slide-8
SLIDE 8

x

“The Internet”

Improving AS Coverage

slide-9
SLIDE 9

Out-probes: Principles

  • Out-probe : probes performed from test-IP and

anchor-IP towards external IP addresses

  • If probes comes back => reachability from target-

IP

  • If probes do not come back => run traceroutes to

find out location of bogon-filter(s)

Test-site

Target AS

x

? Bogon filter IPx IPy

slide-10
SLIDE 10
  • Advantages:
  • Positive reachability exists for target IP
  • Probing of large fraction of AS topology
  • Disadvantages:
  • Building target IP addresses to be probed not

trivial

  • Probe return path is most interesting but

unkown

Out-probes: Evaluation

slide-11
SLIDE 11

Out-Probes: measurements

  • Send probe from test-sites (test-IP and anchor-IP)

towards a large set of pingable-IP addresses (46,569) in 18,574 different ASs

  • If probe comes back => reachability exists
  • ~85% of all probes
  • If probe does not come back => use heuristic to

find out likelihood that AS contains bogon filter

  • ~10% of all probes
  • ~5% not pingable anymore, e.g., dial-up
slide-12
SLIDE 12

Out-Probes: Initial validation

  • We derived 443 candidate ASs that are likely to

filter

  • Manual search for 15 traceroute servers within

those 443 candidate ASs: – 7 filter – 5 do not filter themselves, but have no usable [up-stream] connectivity => 12 out of 15 (80%) correctly identified – 3 failed, but validation was taken at different time so ASs might have changed filter in the meantime

slide-13
SLIDE 13

Limitation

x

“The Internet”

slide-14
SLIDE 14
  • In-probe : traceroute performed from external IP

addresses towards the test and anchor prefixes

  • In-probes give reachability information towards

the test and anchor prefixes

  • If traceroute from test-prefix address diverges at

some point, we conjecture that some bogon filter is responsible

In-probes: Principles

anchor & test prefix traceroute site

x

?

x

?

x

?

slide-15
SLIDE 15

In-probes: Evaluation

  • Advantages:
  • Filter-independent reachability
  • Details about IP-level path
  • Disadvantages:
  • traceroute site MUST be “behind” filter
  • Not many traceroute sites available
slide-16
SLIDE 16

In-Probes: results

  • Raw results:
  • 66.9% good (anchor and test take exactly same

path)

  • 20.6% diverging paths (anchor and test take

different paths)

  • 8.6% test stops, but anchor ok
  • 3.9% failure (either anchor or anchor and test

failed)

  • Derive candidate links, eliminate unlikely candidates,

then based on remaining candidate links:

  • ~ 34 ASs that may contain incorrectly

configured filters http://psg.com/filter-candidates.txt

slide-17
SLIDE 17

Summary: In- and Out-Probes

  • Out-probes tell about reachability:

+ Find areas of non-reachability + Larger topological coverage (currently > 85% of Internet ASs)

  • No information about: return path and thus non-
  • ptimal paths
  • In-probes tell about filters on the path:

+ Reachability available + goal: detect intermediate filters

  • Limited topological coverage
  • Many traceroute servers are needed at the “edge”
slide-18
SLIDE 18

Conclusion

  • We can identify regions in the Internet that

do not have reachability

  • It is possible to achieve a reasonable coverage
  • f the Internet
  • We don’t only check reachability: we also

detect places where there is "non-optimal" connectivity

slide-19
SLIDE 19

Thanks To

  • ARIN for IP space and commissioning research
  • CityLink – NZ, a test site
  • IIJ - JP, a test site
  • SpaceNet - DE, a test site
  • PSGnet – US, a test site
  • Universities of Adelaide & Delft
  • NSF award ANI-0221435
  • Australian Research Council grant DP0557066