Yarrp’ing the IPv6 Internet - CAIDAIPv6 Active Topology Discovery • Goal: Discover IPv6...
Transcript of Yarrp’ing the IPv6 Internet - CAIDAIPv6 Active Topology Discovery • Goal: Discover IPv6...
Yarrp’ingtheIPv6Internet
EricGastonRobertBeverly
NavalPostgraduateSchool
AIMS2017March2,2017
IPv6ActiveTopologyDiscovery
• Goal:DiscoverIPv6Internet’sinterface-leveltopology• But,completenessisachallengewith2128 (~3.4X1038)
uniqueaddresses• And,ratelimitinginIPv6ismoreaggressivethaninIPv4• Currentstate-of-the-art:scansmallnumberofprefixes
slowly.
IPv6TopologyMappingToday
CAIDAIPv6TopologyProbing
• Sendprobestowardeachgloballyannounced/48orshorterprefixonceevery48hours
• 37,797prefixesasofFebruary12,2017• From46globallydistributedArkVP• EachVPscampericmp-paris traceroutes toward::1
andarandomaddressineachprefixes.
Rohreretal: IPv6Scans
• UsedArk• Largestscantodateprobing~406millionprefixes• (Datapubliclyavailable)• Traceroute tothe::1ineach/48inall/32’s• Scantook4monthstocomplete(Nov14– Mar15)• Currentroutingtablecontains~536millionprefixes• Increaseof32%in2years
Foremski etal:Entropy/IP
• IMC2016studytofindactiveportionsofIPv6Internet
• CombinesinformationtheoryandmachinelearningtoprobabilisticallymodelIPv6addresses
• Abilitytogeneratecandidateaddresslistforactivescanningcanbeusedtoreducethetargetspace
WhyismappingIPv6Important?
• IPv6Topologymappingcrucialto:• Security• Policy• Research
• IPv6usehasdoubledeveryyearsince2012• Measurementcommunityneeds:• BettervisibilityintoIPv6topology• Bettertools
Ourapproach:Yarrp6
WhatisYarrp?
• Anewhigh-speed stateless traceroutetechnique(IMC2016demonstratestopo discovery@100Kpps)
• ReconstructsstatesfromdataencodedinIPandTCPheadersofICMPquotation
• CurrentlyonlysupportsIPv4andTCPprobes• (Presentlyworkingw/CAIDAtodeployinproduction)
https://www.cmand.org/yarrp/
WhatisYarrp6?
• Yarrp6isaportofYarrp forIPv6• Alsostatelessandrandomized• Butencodesstateinadifferentmanner• MaintainsParistraceroutemethodforallscan• AddsthecapabilitytodoICMPv6andUDPscansas
wellastheTCPSYNandTCPACKprovidedbyYarrp
PortingYarrp toIPv6
• ExtendingYarrp toIPv6isnotatrivialtask• Issues:• Howtoencodestate• Yarrp permutationlibrary’s32-bitblocksizetoo
smallforIPv6• RawsocketsinIPv6donotallowforfullcontrol
ofpacketheaders• Rate-LimitingofICMPv6errormessages• UnabletodetectresponsestoTCPprobesfrom
targets
InitialExperiments
• SoughttovalidateandcompareYarrp tocurrentstate-of-the-art:• RecallofYarrp6vs.CAIDAv6probecycle• SpeedofYarrp6vs.CAIDAv6probecycle
• ComparedusingCAIDA’sIPv6datafromsan-usVPscansdoneonFebruary12,2017
• Sametargetlistcontaining75,594addresses
Yarrp6vs.CAIDA(cont.)
RateLimitingofIPv6
• “anIPv6nodeMUSTlimittherateofICMPv6errormessagesitoriginates.”– RFC4443
• Wedidobserverate-limitingonIPv6• Hops1-4accountedfor~75%ofallmissing
hops• Only57uniqueaddressesmissingfromthese
hop
ComparisonofTransportProtocols
• Usedyarrp6tocompareprobeprotocol• ComparisonofTransportProtocolonforwardIP
pathinference.• UsedICMPv6,UDP,TCPSYN,andTCPACKParis
tracerouteprobes• 3metricsusedforcomparison:• DestinationReached• CompletePaths• UniqueIPLinks
ComparisonofTransportProtocols(cont.)
Probe Method UniqueInterface DestinationsReached CompleteIPPaths UniqueIPLinks
ICMPv6 45,706 9,535 3,562* 57,667
UDP 34,567 4,455 1,776* 37,514
TCP SYN 34,879 N/A# N/A# 37,655
TCPACK 35,178 N/A# N/A# 38,262
*Hop3skippedindeterminationofcompletepath#UnabletoretrieveencodedinformationfromTCPresponses
FutureWork
• Workingw/DavePlonka:UseEntropy/IPtogeneratetargetlistforYarrp6toscan.
• ComparisonofYarrp6tolargerdatasetsuchasRohreretal.dataset
• RunningscansinrapidsuccessiontoallowforstudyintodynamicsofIPv6Internet.
• Yarrp availablenow;Yarrp6realsoonnow.Contactustobeta!
https://www.cmand.org/yarrp/
Questions?
https://www.cmand.org/yarrp/