internet (ipv4) topology mapping - txv6tf.org (ipv4) topology mapping kamil sarac...
TRANSCRIPT
Internet (IPv4) Topology Mapping
Kamil Sarac ([email protected])
Department of Computer Science The University of Texas at Dallas
Need for Internet topology measurement • Help with network management or surveillance
• Robustness with respect to failures/attacks
• Comprehend spreading of worms/viruses
• Relevant in active defense scenarios
• Scientific discovery • Scale-free (power-law), small-world, rich-club,
disassortativity,…
Internet topology measurement/mapping
2
Traditional approach in layer 3 topology mapping:
Router level maps
3
Network layer Internet topology maps
A sample IP network segment view at Layer 3 • A number of routers connected via subnets
R1 R2 R3
R6 R5
R7
R4
4
A router level map at layer 3
R1 R2 R3
R6 R5
R7
R4
A corresponding router level map view
5
How to build router level network maps ?
Involves topology data collection and topology
construction
How to collect topology data ? Traceroute – a network debugging and diagnostic tool
End-to-end traces from k vantage points to n destinations
where (typically) k << n
How to construct topology maps? Resolving alias IP addresses
Resolving anonymous routers
6
Traceroute-based topology data collection ksarac> tracert -d www.google.com
Tracing route to www.l.google.com [74.125.91.99] over a maximum of 30 hops:
1 2 ms 1 ms 1 ms 10.25.20.50
2 2 ms 4 ms 3 ms 10.21.0.1
3 3 ms 3 ms 3 ms 129.110.5.87
4 3 ms 4 ms 10 ms 129.110.5.65
5 6 ms 4 ms 4 ms 208.76.224.73
6 * 13 ms 6 ms 38.104.34.25
7 5 ms 4 ms 4 ms 154.54.0.125
8 14 ms 15 ms 15 ms 154.54.5.218
9 26 ms 27 ms 26 ms 154.54.2.234
10 28 ms 35 ms 32 ms 154.54.6.206
11 25 ms 25 ms 25 ms 154.54.12.130
12 27 ms 27 ms 28 ms 209.85.254.128
13 49 ms 27 ms 50 ms 72.14.239.90
14 51 ms 96 ms 51 ms 72.14.239.137
15 51 ms 84 ms 52 ms 209.85.254.226
16 51 ms 61 ms 51 ms 209.85.254.239
17 53 ms 53 ms 66 ms 209.85.240.25
18 80 ms 99 ms 51 ms 74.125.91.99
Trace complete.
7
Traceroute, cont’d ksarac> tracert -d www.whitehouse.gov
Tracing route to e2561.b.akamaiedge.net [96.17.250.235 over a maximum of 30 hops:
1 4 ms 2 ms 2 ms 10.25.20.50
2 2 ms 2 ms 2 ms 10.21.0.1
3 3 ms 2 ms 2 ms 129.110.5.87
4 3 ms 10 ms 3 ms 129.110.5.65
5 3 ms 3 ms 3 ms 208.76.224.73
6 4 ms 4 ms 4 ms 38.104.34.25
7 4 ms 4 ms 3 ms 154.54.24.29
8 * * * Request timed out.
9 25 ms 26 ms 25 ms 66.28.4.34
10 26 ms 26 ms 26 ms 154.54.5.2
11 27 ms 26 ms 26 ms 154.54.10.254
12 26 ms 27 ms 27 ms 68.86.86.37
13 36 ms 36 ms 36 ms 68.86.85.62
14 57 ms 58 ms 58 ms 68.86.85.253
15 58 ms 57 ms 57 ms 96.17.250.135
Trace complete.
8
An anonymous router that does
not answer the traceroute query
How to use traceroute for topology discovery?
Internet2 backbone
Traces
• d - H - L - S - e
• d - H - A - W - N - f
• e - S - L - H - d
• e - S - U - K - C - N - f
• f - N - C - K- H - d
• f - N - C - K - U - S - e
S
L
U
K
C
H
A
W
N
e
d
f
9
10
S
L
U C
N
W
A
s.2
l.1
s.3
u.1
l.3
u.3
h.1
k.3
h.2
a.3
u.2 k.1 c.4
a.1 a.2
w.3 c.3
w.1 c.2
n.1 n.3
w.2
l.2
K
c.1
k.2
h.3
d
h.4
s.1 e f
n.2
H
Traces
• d - h.4 - l.3 - s.2 - e
• d - h.4 - a.3 - w.3 - n.3 - f
• e - s.1 - l.1 - h.1 - d
• e - s.1 - u.1 - k.1 - c.1 - n.1 - f
• f - n.2 - c.2 - k.2 - h.2 - d
• f - n.2 - c.2 - k.2 - u.2 - s.3 - e
How to use traceroute for topology discovery?
129.110.5.12
129.110.5.23
129.110.5.221
129.110.5.74
Each router has multiple IP addresses
Traceroute returns only one IP address of
each visited router
11
IP Alias Resolution Problem U K C N
L H A W
S
d
e
f Sampled network
Sample map
without alias resolution
s.3
s.1
s.2
l.3
l.1
u.1
u.2
k.1 c.1 n.1
n.2 k.2 c.2
w.3
a.3
h.2
h.4
h.1
e
d
f
n.3
Traces
• d - h.4 - l.3 - s.2 - e
• d - h.4 - a.3 - w.3 - n.3 - f
• e - s.1 - l.1 - h.1 - d
• e - s.1 - u.1 - k.1 - c.1 - n.1 - f
• f - n.2 - c.2 - k.2 - h.2 - d
• f - n.2 - c.2 - k.2 - u.2 - s.3 - e
12
IP Alias Resolution Approaches
Dest = A
B
Dest = A
Dest = B
A, ID=100
Dest = B
B, ID=99 B, ID=103
A B
A B
Source IP Address Based Method • Relies on a particular implementation of ICMP error generation.
IP Identification Based Method (ally) • Relies on a particular implementation of IP identifier field, • Many routers ignore direct probes.
DNS Based Method • Relies on similarities in the host name structures
sl-bb21-lon-14-0.sprintlink.net sl-bb21-lon-8-0.sprintlink.net
• Works when a systematic naming is used.
Record Route Based Method • Depends on router support to IP route record processing
13
Analytical IP Alias Resolution
MIT
UTD
18.7.21.1
18.168.0.27
129.110.95.1
129.110.5.1
206.223.141.73
192.5.89.89
206.223.141.70
192.5.89.10
198.32.8.34
198.32.8.85 198.32.8.66
198.32.8.65
198.32.8.84
198.32.8.33
192.5.89.9
206.223.141.69
192.5.89.90
206.223.141.74
18.168.0.25
no response
18.7.21.84
no response
Aliases
129.110.5.1 - 206.223.141.74
206.223.141.73 - 206.223.141.69
206.223.141.70 - 198.32.8.33
…
Anonymous Router Resolution Problem
Internet2 backbone S
L
U
K
C
H
A
W
N
e
d
Traces
• d - - L - S - e
• d - - A - W - - f
• e - S - L - - d
• e - S - U - - C - - f
• f - - C - - - d
• f - - C - - U - S - e
14
f
Anonymous Router Resolution Problem
U K C N
L H A W
S
d
e
f
Sampled network
d
e
f S U
L
C
A W
Resulting network
15
Traces
• d - - L - S - e
• d - - A - W - - f
• e - S - L - - d
• e - S - U - - C - - f
• f - - C - - - d
• f - - C - - U - S - e
Anonymous Router Resolution
Basic heuristics • IP: Combine anonymous nodes b/w same known nodes
• Limited resolution
• NM: Combine all anonymous neighbors of a known node • High false positives
More theoretic approaches • Graph minimization approach
• Combine s as long as they do not violate two accuracy conditions:
(1) Trace preservation condition and (2) distance preservation condition
• High complexity O(n5) – n is number of s
• ISOMAP based dimensionality reduction approach • Build an nxn distance matrix then use ISOMAP to reduce it to a nx5 matrix
Distance: (1) hop count or (2) link delay
• High complexity O(n3) – n is number of nodes
U K C N
L H A W
S
x
y
z
Sampled network
x
y
z S U
L
C
A W
After resolution
x
y
z S U
L
C
A
After resolution
W H
x
y
z S U
L
C
A
W
Resulting network 16
Anonymous Router Resolution Graph Based Induction
A x C y2 A x C y2
Parallel -substring
y1
y3
y1
y3
D A w x
C y
E z
D A w x
C y
E z
Star
A
C
x
y
D w
F v
E z
A
C
x
y
D w
F v
E z
Complete Bipartite
A
C
x
y
D w
E z
A
C
x
y
D w
E z
Clique
Anonymous router resolution:
Merge anonymous nodes as long as
they cause no loops in path traces
17
Subnets as first class citizens in network layer Internet
topology maps
18
A network layer view incl. routers & subnets
R1 R2 R3
R6 R5
R7
R4
Not all subnets are created equal !
Can we discover layer 3 view of subnets ? List of alive IP addresses
Subnet number as a.b.c.d/x
19
Why know subnets?
S1 S2
S3 S4
S1 S2
S3 S4
/30
/29 /31
/29
1. An alternative layer 3 view of the Internet map where subnets are nodes
routers are links
20
2. A more complete network layer picture of the underlying network
Why know subnets? P2 & P3 are not node-and-link disjoint
but P1 & P3 are
P1
P3
P2
2. A more complete network layer picture of the underlying network
P1 & P3 are not node-and-link
disjoint as they share the same
subnet
P1
P3
Why know subnets?
How to discover a subnet?
ExploreNET – an active probing based tool • Given an IP address IPv, discovers the subnet
hosting IPv
• Labels with its observable subnet mask
• Uses a set of heuristics for subnet inference
23
ExploreNET
24
Given an IP address IPv, explore the subnet
A B
R1
R7 R6
R5
R4
R3
R2
v (pivot interface) is the interface with IP
address IPv that is TTL = d hops away from
vantage point A
v
How to discover a subnet?
Probing cost is within to
25
ExploreNET internals
How to explore the subnets that v resides?
26
1. Form a /30 subnet S which includes the IP address IPv of the pivot interface v • Check if IPi /30 mate of IPv is likely to be in S
2. Grow S to a /X subnet (X = 29, 28, … )
which includes IPv as long as IP addresses in subnet S satisfy our heuristics
ExploreNET heuristics
9 of them to improve accuracy of our inferences • Q: Does IP address i belong to assumed subnet S ?
• A: Yes with high probability, if it satisfies heuristics
A
Far-fringe
interfaces
Close-fringe
interfaces
Ingress-fringe
interfaces
S
Ingress
Router
27
ExploreNET limitations
Requires router responsiveness
Depends on heuristics based on best practices in layer 3 network configuration
Underestimation due to subnets with sparsely utilized IP addresses
Underestimation due to path diversity due to load balancing or TE practices
28
ExploreNET evaluations
Accuracy and completeness of the heuristics
Comparison against ground truth data • Collected from the public Internet using mrinfo [MDP2010]
• mrinfo – an IP multicast diagnostic tool • Returns IP multicast enabled interfaces of a router
• For each such interface, • returns IP addresses of other multicast enabled interfaces on
the same subnet
mrinfo based ground truth data • A total of 5536 subnets collected from the Internet
ExploreNET experiment • Pick a random IP address from each subnet and run
exploreNET to discover the subnet
29
ExploreNET evaluations - results
M – total no. of subnets (5536)
A – unresponsive (768)
B – exact discovery (3702)
C – failure cases (673)
D – subsumes mrinfo subnets (142)
E – partially unresponsive (251)
F – partially unresponsive and having non-multicast IPs (55)
Completeness-1: |B+D| / |M| = 69%
Completeness-2: |B+D| / |B+C+D| = 85%
30
• Accuracy: |B+D| / |B+D+E+F| = 93%
Use of subnet info for network diagnosis
31
Tracenet: An extension for traceroute
1. Traceroute at A toward B
B A
B A
A network segment
Traceroute returns:
1. One router (or IP address) at each hop on the A-to-B path
2. Point-to-point link between consecutive routers (or consecutive (?) IP addresses)
32
Tracenet: An extension for traceroute
Internet at the network layer consists of • Router & subnets (point-to-point OR multi-access)
33
B A
A network segment with ROUTERs & SUBNETs
B A A traceroute returned network segment
S
Tracenet Overview Traceroute vs tracenet
2. Tracenet at A toward B • At each hop distance d = 2, 3, …
1. Trace collection - Find an IP i in a subnet S at hop d
2. Subnet exploration – Explore subnet S returning all IP’s in it
B A
A network segment
B A
i i’ 34
Tracenet Overview Traceroute vs tracenet
2. Tracenet at A toward B • At each hop distance d = 2, 3, …
1. Trace collection - Find an IP i in a subnet S at hop d
2. Subnet exploration – Explore subnet S returning all IP’s in it
B A
A network segment
S
B A
i 35
Tracenet Overview Traceroute vs tracenet
2. Tracenet at A toward B • At each hop distance d = 2, 3, …
1. Trace collection - Find an IP i in a subnet S at hop d
2. Subnet exploration – Explore subnet S returning all IP’s in it
B A
A network segment
B A
Tracenet returns:
One layer-3 subnet topology at each hop on the path
• Multiple IP addresses at each subnet • Subnetting relation between IP addresses • Subnet mask info for the subnet
• Some IP alias resolution as an artifact
36
traceroute vs tracenet in use
Subnets on a path w/ their subnet mask
IP addresses & hop distances at each subnet
IP alias resolution on the links
37
Conclusions
IPv4 network topology discovery • Router level topology discovery
• IP alias resolution
• Anonymous router resolution
• Subnet discovery • Presented a heuristic to discover L3 subnet info
• Developed two tools implementing the scheme • exploreNET – given an IP address, discovers the subnet
• traceNET – an extension to traceroute
• http://itom.utdallas.edu • To download traceNET and exploreNET implementations
38
Future work
How to extend this to IPv6? • How to do IPv6 alias resolution?
• How to do IPv6 subnet discovery?
39
Thank you
40
TraceNET
Heuristic 1 - Prefix Reduction • Encountering a stop-and-shrink statement implies that the
candidate subnet has been grown beyond its real size
• Execution of this statement shrinks to by removing all IP addresses in /p but not in /p+1
• As the subnet grows larger possibility of encountering a false positive IP address causing execution of stop-and-shrink statement increases
• This rule serves as one of the stopping conditions of subnet exploration algorithm
• This rule increases our confidence level on accuracy of large subnets
41
TraceNET
Heuristic 2 – Upper Bound Subnet Contiguity • Tests whether the candidate IP address is in use and not
located farther from the investigated subnet
• Code Snippet
42
TraceNET
Heuristic 3 – Single Contra Pivot Interface • Eliminates Ingress Fringe Interfaces
• Under a fixed ingress router to subnet
• Code Snippet
43
TraceNET
Heuristic 4 – Lower Bound Subnet Contiguity • Increases the confidence on the contra-pivot interface
determined by the previous heuristic
• Code Snippet
44
TraceNET
Heuristic 5 – Mate-31 Subnet Contiguity • Shortcut rule for immediately adding /31 mate of the pivot
interface
• Valid for /30 mate in case /31 mate did not return a reply
• Code Snippet
45
TraceNET
Heuristic 6 – Fixed Entry Point • Tests whether the examined IP address resides at another
subnet located at the same distance with the explored subnet
• Code Snippet
46
TraceNET
Heuristic 7 – Upper Bound Router Contiguity • Detects far fringe interfaces
• Code Snippet
47
TraceNET
Heuristic 8 – Lower Bound Router Contiguity • Detects close fringe interfaces
• Code Snippet
48
TraceNET
Heuristic 9 – Border Address Reduction • This rule applies to the collected subnet not to the
examined IP address
• It is a post processing operation
• While contains any of the border addresses the subnet is divided into two halves and the one containing the pivot interface is set to be the new iteratively
49