slide aansw

Adriano Donato De MatteisDaniele Di Proietto

Enrico D’Urso

Tutor: Dott. Valerio LuconiProf: Luciano Lenzini

Course project for AANSW Revealing MPLS Tunnels osbuscured by traceroute

in Italian internet infrastructure

Course project for AANSW Revealing MPLS Tunnels obscured from traceroute

in Italian Internet infrastructure

IntroductionInference Methodology

Our ExperimentAnalysis

Results & Conclusions

Outline

1

2

3

4

5

Introduction

Inference Methodology

Our Experiment

Analysis

Results and Conclusions



Paper

We reproduced the experiment in the paper:

“Revealing MPLS tunnels obscured from traceroute” , B. Donnet, M. Luckie, P. Mérindol and J. Pansiot, 2012

• Understand the deployment of MPLS in Italian infrastructure• Perform AS-Level statistics

Goals

The paper presents some improvements to the traceroute technique, to detectMPLS tunnels.






MPLS features of interest - RFC4950

RFC 4950: It allows routers to embed MPLS information intoan ICMP time-exceeded message






MPLS features of interest - ttl-propagate

TTL-propagate: Router option to copy IP TTL into MPLS TTLwhen creating an MPLS label for an IP packet






Tunnel taxonomy

RFC4950

ttl-propagate

Enabled Disabled

Enabled

Disabled

Explicit

Implicit

Opaque

Invisible

A B C D






Tunnel taxonomy

RFC4950

ttl-propagate

Enabled Disabled

Enabled

Disabled

Explicit

Implicit

Opaque

Invisible

A B C D

?






Tunnel taxonomy

RFC4950

ttl-propagate

Enabled Disabled

Enabled

Disabled

Explicit

Implicit

Opaque

Invisible

A B C D






Outline

2

3

4

5

Introduction


Our Experiment

Analysis


1






Explicit and Invisible tunnels






Easily detectable with an enhanced traceroute tool.

Explicit Tunnels

There is no way to detect them with our methodologies.

Invisible Tunnels

Implicit tunnels: q-ttl signature

Based on TTL of the probe quoted when the ICMP time-exceeded reply isgenerated.

Q-ttl signature






Implicit tunnels: q-ttl signature

For each traceroute probe the quoted TTL will be one greater, and we observe an increasing sequence of quoted TTL values in traceroute.

Q-ttl signature






Implicit tunnels: u-turn tunnel signature

Precondition: For each unique IP address send six ICMP-echo packets from the same monitor.

Based on the fact that LSR could send ping reply packet and traceroute reply packet not in the same way.

U-turn tunnel signature






Implicit tunnels: u-turn tunnel signature

The u-turn signatures we search for are in the form of X, X – 2, X – 4, X – 6, ..., 2, 0 where X corresponds to two times the tunnel length.

U-turn tunnel signature






Opaque tunnels

In opaque tunnels, only LH is visible. The LSE-TTL returned by this one in the time-exceeded reply indicates the presence of an opaque tunnel and its length.

Opaque tunnels






Opaque tunnels

ILER does not enable ttl-propagate, so at the LH the LSE-TTL will be 253, indicating that the tunnel obscures two LSRs.

Opaque tunnels






Outline

3

4

5

Introduction


Our Experiment

Analysis


1

2






Dataset

• We took announced BGP prefixes from Isolario (www.isolario.it)

• We selected only italian prefixes, crossing the data with MaxMind GeoIPLite (www.maxmind.com)

• We took one random address from each italian prefix, avoidingoverlaps. This is our target list.






http://www.isolario.it/

http://www.maxmind.com/

Scans

We launched four scans from fourdifferent places, two different cities(same target list).

Pisa. ISP: Fastweb

Pisa. ISP: Infostrada

Pisa. ISP: GARR

Orbetello (GR). ISP: Telecom Italia






Scamper

Scamper: a Scalable and Extensible Packet Prober for ActiveMeasurement of the Internet.

Scamper

To launch traceroute and to ping we used the tool scamper.

• Traceroutes: we used the Paris technique with udp probes

• Pings: we launched six ping probes for each detected hop, to measuredistance from monitor.






Outline

4

5

Introduction


Our Experiment

Analysis


1

2

3






LSE-TTL = 255

Several times in our traceroute we notice the presence of an LSE-TTL equal to 255.

hop 6 172.17.8.173attempt: 1, rtt: 0.232696s, probe-size: 44reply-size: 168, reply-ttl: 244, reply-ipid: 0x994a, reply-tos 0x00icmp-type: 11, icmp-code: 0, q-ttl: 2, q-len: 44, q-tos 0flags: 0x11 ( sockrxts replyttl )

mpls ext ttl: 255, s: 1, exp: 0, label: 16289

hop 7 172.17.9.17attempt: 1, rtt: 0.201051s, probe-size: 44reply-size: 168, reply-ttl: 245, reply-ipid: 0xa14d, reply-tos 0x00icmp-type: 11, icmp-code: 0, q-ttl: 3, q-len: 44, q-tos 0flags: 0x11 ( sockrxts replyttl )

mpls ext ttl: 255, s: 1, exp: 0, label: 16288






LSE-TTL = 255

In these cases, according to the paper's authors, in our analysis we assume an LSE-TTL equal to 1.






Ping reply TTL = ? (u-turn signature detection)




To measure the distance between monitor and router, we launch a pingrequest, observing then, the IP TTL field in the ping reply.

IP_TTL: 254IP_TTL: 253IP_TTL: 252

IP_TTL: ?IP_TTL: ?-1IP_TTL: ?-2

But there is no guarantee that the router will initialize the IP TTL to 255

We assume that routers will start counting from 254, 128 or 64.



Private IP, No Entry in Whois DB

Normally we retrieve the information about the AS in which the tunnel is located through a whois query on a LSP router’s IP.

WHOIS ?








But …

IS PRIVATE!

172.18.5.234








But …

NO ENTRY IN WHOIS DB!

172.18.5.234

152.164.58.173







Whois : AS3269_INTERB


80.20.6.10685.36.9.114

172.17.8.93 172.17.8.46

Thus we get the information about the AS for ILER and ELER. If these ASs are the same, we assume that the tunnel is located in this AS.








Whois : AS16098_FULCOM

217.27.70.352.115.102.2

10.54.1.57 110.54.1.13

Thus we get the information about the AS for ILER and ELER. If these ASs are the same, we assume that the tunnel is located in this AS.

Otherwise …






Outline

5

Introduction


Our Experiment

Analysis


1

2

3




4



Results: AS-Level




We performed AS-level statistics



Results: AS-Level




Distribution of tunnels among the AS

AS 3269 - INTERB 137 - GARR 3356-LEVEL3 1267 - INFOSTRADA

% 15.5% 6.5% 4.3% 3%



Results: Generals

Total MPLS Tunnels found : 1380

Global ratio: =traceroutetotNumber

MPLSwithtracerouteNumber%52

20044

10355






IP interface granularity:(number of interfaces that return an ICMP response with RFC4950 ext.)

Results: Explicit Tunnels

Total Explicit Tunnels found : 1264Average Explicit Tunnels observed per monitor : 676

%6.97159

6874950

InterfacesTot

RFCwithInterfaces

IP interface granularity:

More prevalent in AS3269-INTERB (Telecom Italia) : 208 (≈1/6)




Fraction of paths with MPLS tunnels observed per monitor




60% of the unique tunnels begin at least 5 hops away from monitor ….









…. and 90% of tunnels are less than 4 hops in length.








Results: Implicit Tunnels




Total Implicit Tunnels found : 10791,6% were identified through q-ttl signature technique

8,4% through u-ttl tunnel signature techniqueMore prealent in AS20746-FULCOM (Telecom Italia) : 27 (≈1/4)



Results: Opaque Tunnels




In our experiment Opaque tunnels were not prevalent … We have found only nine unique opaque tunnels.

(unique paths between ILER and LH are hidden)More prevalent in AS8968-ALBACOM (BT Italia) : 6 (2/3)



Result: Lenghts




Explicit : 1 – 7 (AS12874-FASTWEB)

Implicit : 1 – 2

Opaque : 1 – 6

We can distinguish an opaque tunnel of one hop by an explicit tunnel of one hop because the first has MPLS-ttl = 254 and the second has MPLS-ttl = 1



Conclusions




By comparing our results with the paper’s ones, we can state that in Italy MPLS iswelldeployed as well as in other countries.

In our analysis we observe that 50% of the tunnels, for each kind of them, was discovered in the ASes in which the monitors are located.

Like paper's ones, explicit tunnels are more common than other types (91.6% of the total).

70,4% of the LSP belong to an Tier-2 ASes20,1% of the LSP belong to an Tier-1 ASes.The remaining part belongs to lower-level ASes.



Questions

slide aansw

Technology