Speedtrap: Internet-Scale IPv6 Alias Resolution

Proceedings of the Thirteenth ACM SIGCOMM Internet Measurement (IMC 2013) Conference, Barcelona, ES, October 2013.The article of record as published may be located at http://dx.doi.org/10.1145/2504730.2504759.Impediments to resolving IPv6 router aliases have precluded understanding the emerging router-level IPv6 Internet topology. In this work, we design, implement, and validate the first {\em Internet-scale alias resolution technique} for IPv6. Our technique, \st, leverages the ability to induce fragmented IPv6 responses from router interfaces in a particular temporal pattern that produces distinguishing per-router fingerprints. Our algorithm surmounts three fundamental challenges to Internet-scale IPv6 alias resolution using fragment identifier values: (1) unlike for IPv4, the identifier counters on IPv6 routers have no natural velocity, (2) the values of these counters are similar across routers, and (3) the packet size required to collect inferences is 46 times larger than required in IPv4. We demonstrate the efficacy of the technique by producing router-level Internet IPv6 topologies using measurements from CAIDA's distributed infrastructure. Our preliminary work represents a step toward understanding the Internet's IPv6 router-level topology, an important objective with respect to IPv6 network resilience, security, policy, and longitudinal evolution

IPv6 network infrastructure and stability inference

IPv6 deployment is increasing as IPv4 address allocations near exhaustion. Many large organizations, including the Department of Defense (DOD), have mandated the transition to IPv6. With the transition to IPv6, new techniques need to be developed to accurately measure, characterize, and map IPv6 networks. This thesis presents a method of profiling the uninterrupted system availability, or uptime, of IPv6 addressable devices. The techniques demonstrated in this study infer system restarts and the operational uptime for IPv6 network devices with a specific focus on IPv6 routers on the Internet. Approximately 50,000 IPv6 addresses were probed continuously from March to June 2014, using the Too Big Trick (TBT) to induce the remote targets to return fragmented responses. By evaluating the responses, the uptime for approximately 35% of the IPv6 addresses can be inferred.http://archive.org/details/ipvnetworkinfras1094543958Outstanding ThesisChief Warrant Officer Four, United States ArmyApproved for public release; distribution is unlimited

Rusty Clusters? Dusting an IPv6 Research Foundation

The long-running IPv6 Hitlist service is an important foundation for IPv6 measurement studies. It helps to overcome infeasible, complete address space scans by collecting valuable, unbiased IPv6 address candidates and regularly testing their responsiveness. However, the Internet itself is a quickly changing ecosystem that can affect longrunning services, potentially inducing biases and obscurities into ongoing data collection means. Frequent analyses but also updates are necessary to enable a valuable service to the community. In this paper, we show that the existing hitlist is highly impacted by the Great Firewall of China, and we offer a cleaned view on the development of responsive addresses. While the accumulated input shows an increasing bias towards some networks, the cleaned set of responsive addresses is well distributed and shows a steady increase. Although it is a best practice to remove aliased prefixes from IPv6 hitlists, we show that this also removes major content delivery networks. More than 98% of all IPv6 addresses announced by Fastly were labeled as aliased and Cloudflare prefixes hosting more than 10M domains were excluded. Depending on the hitlist usage, e.g., higher layer protocol scans, inclusion of addresses from these providers can be valuable. Lastly, we evaluate different new address candidate sources, including target generation algorithms to improve the coverage of the current IPv6 Hitlist. We show that a combination of different methodologies is able to identify 5.6M new, responsive addresses. This accounts for an increase by 174% and combined with the current IPv6 Hitlist, we identify 8.8M responsive addresses

Deploying Efficient Internet Topology Primitives

Cyber Security Division 2013 Principal Investigators' / Homeland Securit

Mapping autonomous system's router level topology in IPv6

The core of the Internet is composed of many independent and mutually exclusive collections of routers, called Autonomous Systems, which are responsible for moving traffic between communicating end-systems, or hosts, regardless of the relative location of those hosts. The complexity of the internal composition of these autonomous systems is such that accurate documentation of their topology, reference to as mapping, is difficult and prone to error. Developing automated support for this effort remains an area of active research, the potential benefit of which is the ability to actively monitor the health of the Internet across these autonomous systems making it possible to identify critical infrastructure chokepoints before their failure adversely impacts the network or national security. The Internet is in the process of transitioning to a new version of the Internet Protocol, the fundamental protocol that melds the heterogeneous networks worldwide into a single cooperative whole. Tools, techniques, and tactics developed for the current version, IPv4, may hold promise for adaptation to support the new version, IPv6. This thesis explores several of the IPv4 techniques that hold promise for adaptation and provides an implementation as a proof-of-concept.http://archive.org/details/mappingutonomous109453412US Air Force (USAF) author.Approved for public release; distribution is unlimited.Approved for public release; distribution is unlimited

Per-hop Internet Measurement Protocols

Accurately measuring per-hop packet dynamics on an Internet path is difficult. Currently available techniques have many well-known limitations that can make it difficult to accurately measure per-hop packet dynamics. Much of the difficulty of per-hop measurement is due to the lack of protocol support available to measure an Internet path on a per-hop basis. This thesis classifies common weaknesses and describes a protocol for per-hop measurement of Internet packet dynamics, known as the IP Measurement Protocol, or IPMP. With IPMP, a specially formed probe packet collects information from intermediate routers on the packet's dynamics as the packet is forwarded. This information includes an IP address from the interface that received the packet, a timestamp that records when the packet was received, and a counter that records the arrival order of echo packets belonging to the same flow. Probing a path with IPMP allows the topology of the path to be directly determined, and for direct measurement of per-hop behaviours such as queueing delay, jitter, reordering, and loss. This is useful in many operational situations, as well as for researchers in characterising Internet behaviour. IPMP's design goals of being tightly constrained and easy to implement are tested by building implementations in hardware and software. Implementations of IPMP presented in this thesis show that an IPMP measurement probe can be processed in hardware without delaying the packet, and processed in software with little overhead. This thesis presents IPMP-based measurement techniques for measuring per-hop packet delay, jitter, loss, reordering, and capacity that are more robust, require less probes to be sent, and are potentially more accurate and convenient than corresponding measurement techniques that do not use IPMP

On The Impact of Internet Naming Evolution: Deployment, Performance, and Security Implications

As one of the most critical components of the Internet, the Domain Name System (DNS) provides naming services for Internet users, who rely on DNS to perform the translation between the domain names and network entities before establishing an In- ternet connection. In this dissertation, we present our studies on different aspects of the naming infrastructure in today’s Internet, including DNS itself and the network services based on the naming infrastructure such as Content Delivery Networks (CDNs). We first characterize the evolution and features of the DNS resolution in web ser- vices under the emergence of third-party hosting services and cloud platforms. at the bottom level of the DNS hierarchy, the authoritative DNS servers (ADNSes) maintain the actual mapping records and answer the DNS queries. The increasing use of upstream ADNS services (i.e., third-party ADNS-hosting services) and Infrastructure-as-a-Service (IaaS) clouds facilitates the deployment of web services, and has been fostering the evo- lution of the deployment of ADNS servers. to shed light on this trend, we conduct a large-scale measurement to investigate the ADNS deployment patterns of modern web services and examine the characteristics of different deployment styles, such as perfor- mance, life-cycle of servers, and availability. Furthermore, we specifically focus on the DNS deployment for subdomains hosted in IaaS clouds. Then, we examine a pervasive misuse of DNS names and explore a straightforward solution to mitigate the performance penalty in DNS cache. DNS cache plays a critical role in domain name resolution, providing (1) high scalability at Root and Top-level- domain nameservers with reduced workloads and (2) low response latency to clients when the resource records of the queried domains are cached. However, the pervasive misuses of domain names, e.g., the domain names of “one-time-use” pattern, have negative impact on the effectiveness of DNS caching as the cache has been filled with those entries that are highly unlikely to be retrieved. By leveraging the domain name based features that are explicitly available from a domain name itself, we propose simple policies for improving DNS cache performance and validate their efficacy using real traces. Finally, we investigate the security implications of a fundamental vulnerability in DNS- based CDNs. The success of CDNs relies on the mapping system that leverages the dynamically generated DNS records to distribute a client’s request to a proximal server for achieving optimal content delivery. However, the mapping system is vulnerable to malicious hijacks, as it is very difficult to provide pre-computed DNSSEC signatures for dynamically generated records in CDNs. We illustrate that an adversary can deliberately tamper with the resolvers to hijack CDN’s redirection by injecting crafted but legitimate mappings between end-users and edge servers, while remaining undetectable by exist- ing security practices, which can cause serious threats that nullify the benefits offered by CDNs, such as proximal access, load balancing, and DoS protection. We further demonstrate that DNSSEC is ineffective to address this problem, even with the newly adopted ECDSA that is capable of achieving live signing for dynamically generated DNS records. We then discuss countermeasures against this redirection hijacking

On Information-centric Resiliency and System-level Security in Constrained, Wireless Communication

The Internet of Things (IoT) interconnects many heterogeneous embedded devices either locally between each other, or globally with the Internet. These things are resource-constrained, e.g., powered by battery, and typically communicate via low-power and lossy wireless links. Communication needs to be secured and relies on crypto-operations that are often resource-intensive and in conflict with the device constraints. These challenging operational conditions on the cheapest hardware possible, the unreliable wireless transmission, and the need for protection against common threats of the inter-network, impose severe challenges to IoT networks. In this thesis, we advance the current state of the art in two dimensions. Part I assesses Information-centric networking (ICN) for the IoT, a network paradigm that promises enhanced reliability for data retrieval in constrained edge networks. ICN lacks a lower layer definition, which, however, is the key to enable device sleep cycles and exclusive wireless media access. This part of the thesis designs and evaluates an effective media access strategy for ICN to reduce the energy consumption and wireless interference on constrained IoT nodes. Part II examines the performance of hardware and software crypto-operations, executed on off-the-shelf IoT platforms. A novel system design enables the accessibility and auto-configuration of crypto-hardware through an operating system. One main focus is the generation of random numbers in the IoT. This part of the thesis further designs and evaluates Physical Unclonable Functions (PUFs) to provide novel randomness sources that generate highly unpredictable secrets, on low-cost devices that lack hardware-based security features. This thesis takes a practical view on the constrained IoT and is accompanied by real-world implementations and measurements. We contribute open source software, automation tools, a simulator, and reproducible measurement results from real IoT deployments using off-the-shelf hardware. The large-scale experiments in an open access testbed provide a direct starting point for future research

A Brave New World: Studies on the Deployment and Security of the Emerging IPv6 Internet.

Recent IPv4 address exhaustion events are ushering in a new era of rapid transition to the next generation Internet protocol---IPv6. Via Internet-scale experiments and data analysis, this dissertation characterizes the adoption and security of the emerging IPv6 network. The work includes three studies, each the largest of its kind, examining various facets of the new network protocol's deployment, routing maturity, and security. The first study provides an analysis of ten years of IPv6 deployment data, including quantifying twelve metrics across ten global-scale datasets, and affording a holistic understanding of the state and recent progress of the IPv6 transition. Based on cross-dataset analysis of relative global adoption rates and across features of the protocol, we find evidence of a marked shift in the pace and nature of adoption in recent years and observe that higher-level metrics of adoption lag lower-level metrics. Next, a network telescope study covering the IPv6 address space of the majority of allocated networks provides insight into the early state of IPv6 routing. Our analyses suggest that routing of average IPv6 prefixes is less stable than that of IPv4. This instability is responsible for the majority of the captured misdirected IPv6 traffic. Observed dark (unallocated destination) IPv6 traffic shows substantial differences from the unwanted traffic seen in IPv4---in both character and scale. Finally, a third study examines the state of IPv6 network security policy. We tested a sample of 25 thousand routers and 520 thousand servers against sets of TCP and UDP ports commonly targeted by attackers. We found systemic discrepancies between intended security policy---as codified in IPv4---and deployed IPv6 policy. Such lapses in ensuring that the IPv6 network is properly managed and secured are leaving thousands of important devices more vulnerable to attack than before IPv6 was enabled. Taken together, findings from our three studies suggest that IPv6 has reached a level and pace of adoption, and shows patterns of use, that indicates serious production employment of the protocol on a broad scale. However, weaker IPv6 routing and security are evident, and these are leaving early dual-stack networks less robust than the IPv4 networks they augment.PhDComputer Science and EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/120689/1/jczyz_1.pd