TTL-based Fingerprinting and MPLS
Transcript of TTL-based Fingerprinting and MPLS
TTL-based Fingerprinting and MPLS
Yves Vanaubel1, Jean-Jacques Pansiot2, Pascal Merindol2
and Benoit Donnet1
1ULg (Belgium), 2UDS (France),
April 11, 2013
Summary
I Introduction to the TTL-based signatures
I Motivations
I Measurement campaign
I MPLS use case
I Ongoing work and conclusions
Time To Live (TTL)
I Field in the IP header (avoid routing loops)
I Maximum number of hops for an IP packet
I Initial value of the TTL field may vary, depending on:I the hardware (CISCO, Juniper, ...)I the Operating SystemI the protocol used (TCP/UDP/ICMP)
ICMP messages
I We consider two types of ICMP messages:
1. Time-exceeded messages, obtained with Traceroute2. Echo-reply messages, obtained with Ping
I We also tried UDP probes: marginal gain
I Initial values of TTLs used by nodes: 32, 64, 128, 255
I TTL initialized differently by a node when it sends:I an error packet (Time-exceeded)I an information packet (Echo-reply)
TTL-based signatures
I Pair of initial TTLs:
<Time-exceeded, Echo-reply>
I Diversity in the signatures (in theory : 5n, n : # probes)
I Examples : <255-255>, <255-*>, <255-128>, ...
Motivations
I Understanding the characteristics of the Internet:I hardware distribution (CISCO, Juniper, etc...)I operating systems deployedI ...
I Alias resolution : clustering approach
I Understanding MPLS tunnels
I ...
Measurement campaign
I Measurement campaign on the PlanetLab network
I 1M of destinations from CAIDA data
I 200 vantage points (VP), i.e. 5000 destinations/VP
I Each IP on a trace pinged 6 times
I Scamper with paris-traceroute
I About 8h of probing per VP
I About 3 days of campaign due to the PlanetLab instabilities
Signatures
I Signatures seen in the campaign:
Signature255-255 255-* 64-64 255-64 64-* 128-128 128-* others
0
0.1
0.2
0.3
0.4
0.5
I CISCO ⇒ <255-255>
I Juniper ⇒ <255-64>
Signatures consistency
I Assumption : the signature of a router is unique
I For a given IP address, a signature may be:I Consistent: signature always the sameI Incomplete: signature most of the time complete, but
sometimes incomplete (e.g. <255-255> and <255-*>)I Inconsistent : several complete signatures, but different from
each other
Signatures consistency - intra VP
I For 21% of the VP, all signatures are consistent
I For all VP, no incomplete signatures
I In the remaining 79% VPs:some (rare) inconsistent signatures (less than 0.02% on average)
Signatures consistency - inter VP
I About 97.6% of the signatures are consistent
I Some incomplete signatures (2.2%)
I A bit more inconsistent signatures, but still rare (0.08%)
Signatures consistency - Conclusions
I In the vast majority, consistent signaturesI Inconsistency due to our initial TTL determination technique?
I Incomplete signatures not encountered inside a VPI Filtering at some VPI Possibility to complete the signatures
(e.g. <255-*> ⇒ <255-255>)
I ⇒ Assumption correct:
Each IP address is associated to a unique signature
I Our technique can be used to help alias resolution
MPLS use case
I Measurement-based classification of MPLS tunnels (traceroute)
I TTL-propagate × RFC4950:
R1 R2 R3 R4 R5
Monitor
Destination
LSP
1. R1
2. R2
3. R3
4. R4
5. R5
6. Destination
1. R1
2. R2 - MPLS3. R3 - MPLS4. R4 - MPLS5. R5
6. Destination
1. R1
2. R4 - MPLS3. R5
4. Destination
1. R1
2. R4
3. R5
4. Destination
ImplicitExplicit Opaque Invisible
IH LHIngressLER
EgressLER
MPLS use case
I Proportion of IP addresses inI explicit tunnels: 14.23%I implicit tunnels: 25.51%I opaque tunnels: 0.33%I all MPLS tunnels: 30.37%
I Some addresses belongs to different types of tunnels
I MPLS seems well deployed in the Internet today
Global view
I Signatures distribution in the MPLS case:
MPLS tagged
Non MPLSpdf
Signature255-255 255-* 64-64 255-64 64-* 128-128 128-* others
0
0.1
0.2
0.3
0.4
0.5
I Why such a difference?
Refined view
I Signatures distribution in the different observed MPLS tunnels:
Opaque
Implicit
Explicitpdf
Signature255-255 255-* 64-64 255-64 64-*
0
0.1
0.2
0.3
0.4
0.5
0.6
I Opaque tunnels : only one signature : <255-255> (and <255-*>but may be completed)
I Invisible tunnels underestimated.
Ongoing work
I Aim : obtaining a better distribution in the signatures to limitthe complexity of alias resolution:
I MPLS TTL : 1 and 255I ICMP time exceeded packet sizesI Other probes (TCP, UDP, ...)I Several characteristics (internal nodes, ingress, egress, etc.)