Abstract
Alias resolution techniques (e.g., Midar) associate, mostly through active measurement, a set of IP addresses as belonging to a common router. These techniques rely on distinct router features that can serve as a signature. Their applicability is affected by router support of the features and the robustness of the signature. This paper presents a new alias resolution tool called Limited Ltd. that exploits ICMP rate limiting, a feature that is increasingly supported by modern routers that has not previously been used for alias resolution. It sends ICMP probes toward target interfaces in order to trigger rate limiting, extracting features from the probe reply loss traces. It uses a machine learning classifier to designate pairs of interfaces as aliases. We describe the details of the algorithm used by Limited Ltd. and illustrate its feasibility and accuracy. Limited Ltd. not only is the first tool that can perform alias resolution on IPv6 routers that do not generate monotonically increasing fragmentation IDs (e.g., Juniper routers) but it also complements the state-of-the-art techniques for IPv4 alias resolution. All of our code and the collected dataset are publicly available.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
We have explicitly verified that the actual probing rate is not limited by the network card or other factors.
- 2.
The largest reported alias set by Midar and Speedtrap has 43 interfaces. Therefore, the likelihood of observing 50 candidate interfaces that are all aliases is low.
- 3.
Limited Ltd. maintains the flow ID necessary to reach \(\kappa _s\) in subsequent probing of s and \(\kappa _s\).
- 4.
References
PlanetLab Europe. https://www.planet-lab.eu
Private communication with CAIDA
RIPE Registry. https://www.ripe.net/publications/docs/ripe-508
Alvarez, P., Oprea, F., Rule, J.: Rate-limiting of IPv6 traceroutes is widespread: measurements and mitigations. In: Proceedings of IETF, vol. 99 (2017)
Aminikhanghahi, S., Cook, D.J.: A survey of methods for time series change point detection. Knowl. Inf. Syst. 51(2), 339–367 (2017)
Augustin, B., et al.: Avoiding traceroute anomalies with Paris Traceroute. In: Proceedings of IMC (2006)
Bender, A., Sherwood, R., Spring, N.: Fixing Ally’s growing pains with velocity modeling. In: Proceedings of IMC (2008)
Breiman, L., Friedman, J., Olshen, R., Stone, C.: Classification and Regression Trees. Wadsworth and Brooks, Monterey (1984)
Cisco: Cisco IOS quality of service solutions configuration guide, release 12.2SR. In: Policing and Shaping Overview. https://www.cisco.com/c/en/us/td/docs/ios/qos/configuration/guide/12_2sr/qos_12_2sr_book/polcing_shping_oview.html
Cisco: Configure commonly used IP ACLs. https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html
Cisco: Control plane policing implementation best practices. https://www.cisco.com/c/en/us/about/security-center/copp-best-practices.html#7
Cisco: IPv6 ICMP rate limiting. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_basic/configuration/xe-3s/ip6b-xe-3s-book/ip6-icmp-rate-lmt-xe.pdf
Conta, A., Gupta, M.: RFC 4443, Internet Control Message Protocol (ICMPv6) for the Internet Protocol version 6 (IPv6) specification. IETF (2006)
Deal, R.A.: Cisco router firewall security: DoS protection. http://www.ciscopress.com/articles/article.asp?p=345618&seqNum=5
Ensafi, R., Knockel, J., Alexander, G., Crandall, J.R.: Detecting intentional packet drops on the Internet via TCP/IP side channels. In: Proceedings of PAM (2014)
Govindan, R., Tangmunarunkit, H.: Heuristics for Internet map discovery. In: Proceedings of INFOCOM (2000)
Gunes, M.H., Sarac, K.: Resolving IP aliases in building traceroute-based Internet maps. IEEE/ACM Trans. Netw. 17(6), 1738–1751 (2009)
Gunes, M.H., Sarac, K.: Importance of IP alias resolution in sampling Internet topologies. In: Proceedings of GI (2007)
Guo, H., Heidemann, J.: Detecting ICMP rate limiting in the Internet. In: Proceedings of PAM (2018)
Juniper: Default ICMP rate limit on the system for host inbound connections. https://kb.juniper.net/InfoCenter/index?page=content&id=KB28184&cat=SRX_SERIES&actp=LIST
Juniper: IPv6 multicast routing on E series broadband services routers, release 15.1. Access-list. https://www.juniper.net/documentation/en_US/junose15.1/topics/reference/command-summary/access-list.html
Juniper: Policer implementation overview. https://www.juniper.net/documentation/en_US/junos/topics/concept/policer-mx-m120-m320-implementation-overview.html
Juniper: System management and monitoring feature guide for switches. Internet-options (ICMPv4). https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/icmpv4-rate-limit-edit-system.html
Juniper: System management and monitoring feature guide for switches. Internet-options (ICMPv6). https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/icmpv6-rate-limit-edit-system.html
Keys, K.: Internet-scale IP alias resolution techniques. ACM SIGCOMM Comput. Commun. Rev. 40(1), 50–55 (2010)
Keys, K., Hyun, Y., Luckie, M., Claffy, K.: Internet-scale IPv4 alias resolution with MIDAR. IEEE/ACM Trans. Netw. 21(2), 383–399 (2013)
Killick, R., Eckley, I.A.: changepoint: an R package for changepoint analysis. J. Stat. Softw. 58(3), 1–19 (2014). http://www.jstatsoft.org/v58/i03/
Kim, S., Harfoush, K.: Efficient estimation of more detailed Internet IP maps. In: Proceedings of ICC (2007)
Luckie, M., Beverly, R., Brinkmeyer, W., et al.: SpeedTrap: Internet-scale IPv6 alias resolution. In: Proceedings of IMC (2013)
Marchetta, P., Persico, V., Pescapè, A.: Pythia: yet another active probing technique for alias resolution. In: Proceedings of CoNEXT (2013)
Padmanabhan, R., Li, Z., Levin, D., Spring, N.: UAv6: alias resolution in IPv6 using unused addresses. In: Proceedings of PAM (2015)
Pansiot, J.J., Grad, D.: On routes and multicast trees in the Internet. ACM SIGCOMM Comput. Commun. Rev. 28(1), 41–50 (1998)
Pedregosa, F., et al.: Scikit-learn: machine learning in Python. J. Mach. Learn. Res. 12, 2825–2830 (2011)
Postel, J.: RFC 792. Internet Control Message Protocol, IETF (1981)
Qian, S., Wang, Y., Xu, K.: Utilizing destination options header to resolve IPv6 alias resolution. In: Proceedings of GLOBECOM (2010)
Qian, S., Xu, M., Qiao, Z., Xu, K.: Route positional method for IPv6 alias resolution. In: Proceedings of ICCCN (2010)
Ravaioli, R., Urvoy-Keller, G., Barakat, C.: Characterizing ICMP rate limitation on routers. In: Proceedings of ICC (2015)
Sherry, J., Katz-Bassett, E., Pimenova, M., Madhyastha, H.V., Anderson, T., Krishnamurthy, A.: Resolving IP aliases with prespecified timestamps. In: Proceedings of IMC (2010)
Sherwood, R., Bender, A., Spring, N.: Discarte: a disjunctive Internet cartographer. ACM SIGCOMM Comput. Commun. Rev. 38(4), 303–314 (2008)
Spring, N., Mahajan, R., Wetherall, D.: Measuring ISP topologies with rocketfuel. ACM SIGCOMM Comput. Commun. Rev. 32(4), 133–145 (2002)
Vermeulen, K., Strowes, S.D., Fourmaux, O., Friedman, T.: Multilevel MDA-lite Paris Traceroute. In: Proceedings of IMC (2018)
Willinger, W., Alderson, D., Doyle, J.C.: Mathematics and the Internet: a source of enormous confusion and great potential. Not. Am. Math. Soc. 56(5), 586–599 (2009)
Acknowledgments
We thank Niels den Otter from SURFnet and Simon Leinen from Switch network for their time in conducting joint experiments of Limited Ltd. We thank people from Internet2 and Switch for providing the ground truth of their network. We thank the anonymous reviewers from both the PAM TPC and our shepherd, for their careful reading of this paper and suggestions for its improvement. Kevin Vermeulen, Olivier Fourmaux, and Timur Friedman are associated with Sorbonne Université, CNRS, Laboratoire d’informatique de Paris 6, LIP6, F-75005 Paris, France. Kevin Vermeulen and Timur Friedman are associated with the Laboratory of Information, Networking and Communication Sciences, LINCS, F-75013 Paris, France. A research grant from the French Ministry of Defense has made this work possible.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
A Ethical Considerations
A Ethical Considerations
1.1 A.1 Precautions Taken
We take two precautions, that we understand to be community best practice: We sent all probing traffic from IP addresses that were clearly associated via WhoIs with their host locations, either at our institution or others hosting PlanetLab Europe nodes. We have also set up a web server on the probing machines with a contact email, so that any network operators could opt out from our experiment. We received no notice whatsoever from network operators expressing concern about our measurements. Though this is a positive sign, it could be that there are impacts that were not noticed, or that the concerns did not reach us. We therefore pushed our examination further, as detailed in the following sections.
1.2 A.2 Impact on Other Measurements
Limited Ltd. ’s \(\mathtt {find\_rate}()\) aims to find an ICMP Echo Request probing rate that produces an Echo Reply trace with a loss rate in the [0.05, 0.10] range. While it is searching for this rate, it can induce a loss rate above 0.10. If it does so, it proceeds to a binary search to find a lower probing rate for which traces falls within the desired range. Figure 5 shows that loss rates can go as high as 0.60.
The impact on reachability for the IP addresses of that node is that there is a worst case 0.60 probability that a single ping packet to such an address will not receive a response if it arrives at the node during the five seconds of highest rate probing time. Most pings occur in series of packets, so the worst case probabilities are 0.36 for two ping packets being lost, 0.22 for three, 0.13 for four, 0.08 for five, and 0.05 for six. These are worst case probabilities for the five seconds at highest loss rate. Average reachability failure probabilities are 0.22 for one ping packet, 0.05 for two, 0.01 for three, and so on, while a node is being probed at its highest rate. To judge whether such a level of interference with other measurements is exceptional, we compare it to the impact of the state-of-the-art Midar tool. Midar has a phase during which it elicits three series of 30 responses each, using different methods for each series: TCP SYN packets, to elicit TCP RST or TCP SYN-ACK responses; UDP packets to a high port number, to elicit ICMP Destination Unreachable responses; and ICMP Echo Request packets, to elicit ICMP Echo Reply responses [26]. The probing rate is very low compared to Limited Ltd.: a mere 100 packets per second across multiple addresses. This is not a concern for the TCP and ICMP probing. However, the UDP probing taps into an ICMP rate limiting mechanism that tends to be much less robust than the typical ICMP Echo Reply mechanism on some routers. ICMP Destination Unreachable messages are often rate limited at 2 packets per second, which is \(1/500^\mathrm {th}\) the typical rate at which ICMP Echo Reply messages are rate limited. (For example, the default rate at which Cisco routers limit ICMP Destination Unreachable messages is 1 every 500 ms.)
We found that, when an IP address is a traceroute destination, Midar can completely block ICMP Destination Unreachable messages coming from that destination. Figure 6 illustrates the impact. The figure shows two traceroute results, the top one from before or after Midar being run, and the bottom one during Midar probing. During the Midar run, we see that traceroute receives no responses while it is probing hop 15, where the destination is in fact to be found. The normal functioning of traceroute is to continue probing at higher and higher hop counts. Only a few seconds later, when traceroute is sending probes to hop 20, does it start to receive ICMP Destination Unreachable messages from the destination. The result is an erroneous traceroute, indicating that the destination is five hops further away than it actually is. We observed this erroneous traceroute effect on 2,196 IP addresses out of a dataset of 10,000 IPv4 addresses collected from across the Internet. For both Limited Ltd. and Midar, transient interference with other measurements can be observed for the few seconds during which an IP address is being probed. Our conclusion is not that the diminution in ping reachability induced by Limited Ltd. is necessarily anodyne. Care should be taken to circumscribe this effect. But we observe that it does not stand out in terms of its impact on other measurements.
CPU Usage. We now examine the CPU overhead generated by Limited Ltd., and its potential impact on the forwarding plane and other features involving the CPU. We have run an experiment in a local network with our own Cisco (model 3825, IOS 12.3) and Juniper (model J4350, JunOS 8.0R2.8) routers. The experiment consists in measuring three metrics while \(\mathtt {find\_rate}()\) routine of Limited Ltd., which has the highest probing rate, is running. We measured: (1) The CPU usage of the router, (2) the throughput of a TCP connection between the two end hosts, and (3) the rate of BGP updates. ICMP rate limiting is configured on both our Juniper and Cisco routers with an access list [10, 21], limiting the ICMP input bandwidth destined to the router to 1,000 packets per second, which is the default configuration on Juniper routers.
TCP throughput was unaffected, at an average of 537 Mbps and BGP updates remained constant at 10 per second. CPU usage was at 5% for Cisco and 15% for Juniper when Limited Ltd. was not probing. During the probing, the maximum overhead was triggered for both at a maximum probing rate of 2,048 packets per second, with a peak at 10% for Cisco and 40% for Juniper during 5 s. Our conclusion is that there is an impact of high probing rates on CPU, but we do not witness a disruptive impact on either the data plane (TCP throughput) or the control plane (BGP update rate).
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Vermeulen, K. et al. (2020). Alias Resolution Based on ICMP Rate Limiting. In: Sperotto, A., Dainotti, A., Stiller, B. (eds) Passive and Active Measurement. PAM 2020. Lecture Notes in Computer Science(), vol 12048. Springer, Cham. https://doi.org/10.1007/978-3-030-44081-7_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-44081-7_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-44080-0
Online ISBN: 978-3-030-44081-7
eBook Packages: Computer ScienceComputer Science (R0)