Mapping the Internet

Transcription

1 Mapping the Internet Seminar Communication Systems Spring Semester 2013 Department of Informatics, University of Zurich Tobias Klauser Zurich, 30 May 2013 T. Klauser Mapping the Internet Zurich, 30 May / 34

2 Contents 1 Introduction 2 Techniques and Algorithms 3 Internet Mapping Projects 4 Data Quality and Completeness 5 Questions 6 Discussion T. Klauser Mapping the Internet Zurich, 30 May / 34

3 Introduction Historic map of Oerlikon around 1850 (GIS-ZH, Maps are an important tool to comprehend aspects of the real world Overview of abstract structures, not directly visible to the eye T. Klauser Mapping the Internet Zurich, 30 May / 34

4 1. Humans created maps for ages, example: map of Oerlikon around Maps are always abstractions, leaving out certain details 3. Internet too large to be comprehended at once, no traditional mapping possible 4. Like the real world, structure is rapidly and constantly changing

5 Motivation Detection of congestion, sources of delay, outages, censorship Routing stability, optimality, adaptability, and fault tolerance Correlation of mapping data with additional data (e.g. meteorological) Implementation of topology-aware algorithms Academic research in network theory T. Klauser Mapping the Internet Zurich, 30 May / 34

6 1. Might help ISP in provisioning of infrastructure 2. Internet policy, regulations, and planning (even though no central control but certain agencies overlooking certain aspects) 3. Linking events from the real world to the virtual realm. 4. Performance improvements based on gained insights, detection of bottlenecks 5. Algorithms and concepts from network theory might help to gain a deeper understanding of the Internet s structure and growth and networks in general (e.g. social networks). 6. Mapping as art (examples later on)

7 Techniques and Algorithms Goal: Map the topology of the Internet, path by path Usually active measurements Sending of hop-limited packets (traceroute), interpret responses Annotation of connectivity graph with additional data (e.g. geographical) T. Klauser Mapping the Internet Zurich, 30 May / 34

8 1. No central instance which can be queried for the data, thus active measurement is needed 2. Topology usually at the network/internet protocol layer. 3. Additional data: e.g. geographical or other real world/real time data 4. GeoIP, but not available in same accuracy for all infrastructure (especially routing infrastructure), tricks might need to be used. 5. Annotation optional, but maps usually not of much use without additional data. 6. Nowadays Web services (e.g. Google Maps) allow to create a variety of overlay maps

9 Traceroute start A X Y B Request packet: Dest = B Src = A TTL = 1 Echo req. T. Klauser Mapping the Internet Zurich, 30 May / 34

10 1. Example: Traceroute probe from host A towards host B 2. Simple, abstract example. Intermediate routers possibly have many more interfaces and lateral connections. 3. ICMP Packet only shows important fields: Source and Destination address, TTL, ICMP message 4. Example shown with ICMP echo requests (ping), there are variants with UDP packets to obscure ports 5. Maximum TTL needs to be specified (usually 64 or 128) 6. Same working principle for IPv4 and IPv6

11 Traceroute TTL=1 A X Y B Request packet: Dest = B Src = A TTL = 1 Echo req. Reply packet: Dest = A Src = X TTL = max Time exc. Reported path: Hop 1: X T. Klauser Mapping the Internet Zurich, 30 May / 34

12 Traceroute TTL=2 A X Y B Request packet: Dest = B Src = A TTL = 2 Echo req. Reply packet: Dest = A Src = Y TTL = max Time exc. Reported path: Hop 1: X Hop 2: Y T. Klauser Mapping the Internet Zurich, 30 May / 34

13 Traceroute TTL=3 A X Y B Request packet: Dest = B Src = A TTL = 3 Echo req. Reply packet: Dest = A Src = B TTL = max Echo reply Reported path: Hop 1: X Hop 2: Y Hop 3: B (target) T. Klauser Mapping the Internet Zurich, 30 May / 34

14 Traceroute for Redundant Paths E G A D I B F H D decides on path for packets based on routing policy T. Klauser Mapping the Internet Zurich, 30 May / 34

15 1. In reality, we most often probe topologies with redundant paths 2. Routing policy of nodes in-between very often not known. Needs to be heuristically detected. 3. Can lead to problems with reported paths in case of flow-based routing.

16 Traceroute for Redundant Paths E G A D I B F H Successive traceroute packets might go through E or F Topology reported wrong, e.g. A - D - E - H - I - B T. Klauser Mapping the Internet Zurich, 30 May / 34

17 1. If flow-based Routing is in place, Paris traceroute might be used. 2. Allows to circumvent false reporting in the above case.

18 Probing Target Selection Naïve approach: Probe all addresses from public range Probe representatives for each subnet or Autonomous System (AS) Probe fixed selection of destinations Heuristic approach: Select next target from prefixes of probed paths Generate random addresses for prefix and probe it Add new prefixes seen on the path to list If no prefixes available, select new ones by using neighboring prefixes T. Klauser Mapping the Internet Zurich, 30 May / 34

19 addresses in principle, large block reserved thus less 2. Abstraction (like classical mapping) 3. Heuristic approach: starts with small initial list of prefixes 4. Target selection approach depends on aim of the mapping endeavor. Topology vs. reachability/stability etc. 5. Naïve approach might have been feasible in the 90ies when only a percentage of IPv4 addresses was assigned, nowadays fails completely for IPv6

20 Centralized vs. Distributed Probing Centralized probing: Probing takes a lot of time if done for all public IP subnets Tradeoff in number of hosts probed Distributed probing: Measurements from multiple sources Aggregation of results at central place T. Klauser Mapping the Internet Zurich, 30 May / 34

21 1. Centralized probing: Usually representatives from subnets are probed (heuristic methods) 2. Distributed: Finer grained probing possible

22 Alternative: AS-Level Probing Border Gateway Protocol (BGP) used to exchange routing information on the Internet Each router keeps IP-prefix-to-AS mapping table based on BGP information Determines reachability to other ASs as path Graph of Internet topology could directly be built from this information T. Klauser Mapping the Internet Zurich, 30 May / 34

23 1. BGP path vector protocol (keeps path vectors to other ASs) 2. AS: collection of connected IP network prefixes under control of one or multiple network operators, presents common routing policy to the Internet 3. Can be combined with traceroute: astraceroute

24 IP Address Alias Resolution Routers have at least 2 interfaces (IP addresses) Several might show up in traceroute paths Interfaces belonging to the same router must be identified and merged Strategy for resolutions: Send UDP packets to all addresses seen in traceroute paths Use obscure UDP ports Routers must answer probe packets with ICMP port unreachable Source address of answer set to interface of the unicast route to prober T. Klauser Mapping the Internet Zurich, 30 May / 34

25 1. Needed for topology at router level. 2. Internet routers possibly have 100s of interfaces 3. UDP packets destined for potentially unused UDP ports, provoke ICMP response

26 Internet Mapping Projects Numerous examples of Internet mapping endeavors Historic: The Internet Mapping Project (Cheswick et al. 1998) Shift from centralized to distributed probing Traceroute remains main technique T. Klauser Mapping the Internet Zurich, 30 May / 34

27 RIPE Atlas ( Global measurement network run by RIPE Active measurements (traceroute-based), IPv4 and IPv6 Topology mapping, connectivity and reachability measurements Distributed network of probes (around 4000 registered probes) Atlas probe device ( T. Klauser Mapping the Internet Zurich, 30 May / 34

28 1. RIPE: Réseaux IP Européens, an open forum for all parties interested in wide area IP networks, especially the Internet. 2. You can register to run your own probe. 3. Custom measurements possible

29 RIPE Atlas Map Reachability of a.root-servers.net by IPv6 ( T. Klauser Mapping the Internet Zurich, 30 May / 34

30 1. Map shows location of probes and reachability of a.root-servers.net via IPv6 2. Probing towards fixed destinations (e.g. DNS root servers, RIPE infrastructure) 3. Measurement data is centrally aggregated, analyzed and visualized 4. Generated data sets available to registered users (hosting a probe)

31 RIPE Atlas Measurements Own implementation of traceroute (supports Paris traceroute method) ICMP Ping to probe reachability DNS, HTTP and SSL certificate queries Custom measurements Source code of the measurement tools recently became open source T. Klauser Mapping the Internet Zurich, 30 May / 34

32 1. Custom, user-defined measurements can be defined by registered users, based on a credit system (can be deployed on other probes in network, e.g. to test reachability of own site) 2. Credits can be earned by hosting probes or by sponsoring them

33 CAIDA ( Network of probes (71 active) Aggregated in teams (3 teams active) Probing 9.5 million /24 IPv4 networks 100 packets/sec 2-3 days for full /24 scan (per team) CAIDA probe device (Image courtesy of CAIDA) T. Klauser Mapping the Internet Zurich, 30 May / 34

34 1. The Cooperative Association for Internet Data Analysis (CAIDA) 2. Probes mainly distributed among research institutions 3. Probing device is Raspberry Pi based 4. Uses dynamically generated list of targets, randomly chosen from within /24 prefixes 5. Additional DNS lookups of probed addresses 6. Data sets are publicly available

35 CAIDA T. Klauser Mapping the Internet Zurich, 30 May / 34

36 1. AS-level topology maps created for IPV4 and IPv6. 2. Traceroute paths serve as basis, IP addresses are looked up in BGP tables and are assigned to the longest matching prefix. 3. If two successive hops resolve to different ASs, this is interpreted as link between the two ASs. 4. Several problems: private ASs, multi-origin ASs (same prefix advertised by multiple ASs) 5. Visualization: Angular position: geographical longitude; Color: out-degree of AS (number of outgoing links)

37 Use Case: Hurricane Sandy Superstorm Sandy hit the US East Coast in 2012 Affected region hosts numerous major hubs of global communication networks Analysis of the hurricane s effects on Internet infrastructure T. Klauser Mapping the Internet Zurich, 30 May / 34

38 Use Case: Hurricane Sandy Number of traceroute packets going towards ns.ripe.net during hurricane Sandy (Image courtesy of RIPE Atlas) T. Klauser Mapping the Internet Zurich, 30 May / 34

39 Data Quality and Completeness Percentage of Atlas probes per country (Image courtesy of RIPE Atlas) T. Klauser Mapping the Internet Zurich, 30 May / 34

40 1. Coverage high in Western Europe, Russia and North America. Limited coverage in Africa, Asia and South America.

41 Data Quality and Completeness Worldwide Undersea Communication infrastructure ( T. Klauser Mapping the Internet Zurich, 30 May / 34

42 1. South America and Asia host important hubs of the global communication network. 2. Thickness: transmission capacity

43 Data Quality and Completeness Internet users per 100 people ( T. Klauser Mapping the Internet Zurich, 30 May / 34

44 1. Internet users per 100 people 2. Obviously Western Europe and North America highest, but Eastern Asia and South America (Brazil!) have high percentage too.

45 Data Quality and Completeness Geographical lookups not always exact or even possible Traceroute biased towards shortest-path trees Connectivity on data link layer (layer 2) not considered Interface alias resolution might lead to false negatives Internet s growth is self-organized, no central control Combination of data problematic T. Klauser Mapping the Internet Zurich, 30 May / 34

46 1. Workaround to guess geographical location: Deduce from DNS name (ISPs tend to include geolocation in DNS name)

47 Summary Several active and inactive Internet mapping projects Shift from centralized to distributed probing Usage of Traceroute as basic probing technique Certain shortcomings with respect to completeness and accuracy T. Klauser Mapping the Internet Zurich, 30 May / 34

48 Questions? Thanks for your attention. Do you have any questions? T. Klauser Mapping the Internet Zurich, 30 May / 34

49 Discussion: Additional Data What could be other data of interest to be measured/acquired atop of the topology, and why? T. Klauser Mapping the Internet Zurich, 30 May / 34

50 Discussion: Additional Data What could be other data of interest to be measured/acquired atop of the topology, and why? Services offered by nodes, combination with port scans. Spam-sending networks, correlation with spam block lists. Various demographics: Internet user percentage, mobile phone users per population, population densities. Protocols used: dissemination of IPv6, routing protocols, traffic classification: Web, , P2P,... T. Klauser Mapping the Internet Zurich, 30 May / 34

51 Discussion: Internet Mapping and ISPs Suppose you re a network operator. Why would you want to allow measurements in your network and e.g. disclose geolocations of your infrastructure? Why wouldn t you? T. Klauser Mapping the Internet Zurich, 30 May / 34

52 Discussion: Internet Mapping and ISPs Suppose you re a network operator. Why would you want to allow measurements in your network and e.g. disclose geolocations of your infrastructure? Why wouldn t you? Benefit from more detailed maps, e.g. in order to analyze structure of own infrastructure, might help to identify problems in terms of stability, availability, security,... Non-commerical operators (research networks, universities) are usually quite open about their infrastructure anyway. Disclose company secrets (think about how the large cloud providers keep the locations of their data centers secret), might make it easier to attack infrastructure (e.g. DDoS). T. Klauser Mapping the Internet Zurich, 30 May / 34

53 Discussion: Traceroute Do you see any issues with the traceroute-style probe technique? If yes, how could they be overcome? Can you think of alternatives/amendments to traceroute? T. Klauser Mapping the Internet Zurich, 30 May / 34

54 Discussion: Traceroute Do you see any issues with the traceroute-style probe technique? If yes, how could they be overcome? Can you think of alternatives/amendments to traceroute? Biased towards shortest paths. Lateral connections of routers not considered (unless explicitly probed). Topology on layers below and above Internet layer are not considered. Partial solution: Passive measurements. Shortcomings with respect to flow-based routing. Partial solution: Paris traceroute. Run measurements periodically. Compare current data set to previously generated data sets. T. Klauser Mapping the Internet Zurich, 30 May / 34

55 Discussion: Active vs. Passive Measurements The described projects rely on active measurements. Can you think of a way passive measurements could potentially be used for topology mapping? What could be potential issues? T. Klauser Mapping the Internet Zurich, 30 May / 34

56 Discussion: Active vs. Passive Measurements The described projects rely on active measurements. Can you think of a way passive measurements could potentially be used for topology mapping? What could be potential issues? Probes at large Internet nodes, monitoring traffic flows. Use latency based measures to deduce location of communicating nodes. Hard to map topology since all that can be seen are node-to-node packets or connections. Querying routing tables. Monitoring traffic would need a lot of bandwidth and possibly computational power. Issues with privacy. T. Klauser Mapping the Internet Zurich, 30 May / 34

57 Discussion: Coverage and Completeness Do you think the limited coverage in the presented projects is an issue? Why? How could it possibly be overcome? T. Klauser Mapping the Internet Zurich, 30 May / 34

58 Discussion: Coverage and Completeness Do you think the limited coverage in the presented projects is an issue? Why? How could it possibly be overcome? Cooperate with network equipment vendors (e.g. directly integrating probes in home routers). Work together with large network operators (e.g. SWITCH) or research institutions. T. Klauser Mapping the Internet Zurich, 30 May / 34