REVEALING MIDDLEBOXES INTERFERENCE WITH TRACEBOX

Size: px

Start display at page:

Download "REVEALING MIDDLEBOXES INTERFERENCE WITH TRACEBOX"

Willa Hamilton
5 years ago
Views:

1 REVEALING MIDDLEBOXES INTERFERENCE WITH TRACEBOX Gregory Detal*, Benjamin Hesmans*, Olivier Bonaventure*, Yves Vanaubel and Benoit Donnet. *Université catholique de Louvain Université de Liège

2 Outline Middleboxes interference Detect packet modification with ICMP Tracebox Measurements results

3 The end-to-end principle Application Application Transport Transport Network Data link Physical Data link Physical Network Data link Physical Network Data link Physical

4 does not hold Application Transport Network Data link Physical Data link Physical Application Transport Network Data link Physical Application Transport Network Data link Physical

5 In reality Sherry, Justine, et al. "Making middleboxes someone else's problem: Network processing as a cloud service." Proceedings of the ACM SIGCOMM 2012 conference. ACM, 2012.

6 TCP Segment processed by a router IP TCP Ver IHL ToS Total length Identification Flags Frag. Offset TTL Protocol Checksum Source IP address Destination IP address Source port Destination port Sequence number Acknowledgment number THL Reserved Flags Window Checksum Urgent pointer Options Ver IHL ToS Total length Identification Flags Frag. Offset TTL Protocol Checksum Source IP address Destination IP address Source port Destination port Sequence number Acknowledgment number THL Reserved Flags Window Checksum Urgent pointer Options Payload Payload

7 How transparent is the Internet? 25th September 2010 to 30th April access networks 24 countries Craft TCP segments using custom scripts Sent specific TCP segments from client to a server in Japan Honda, Michio, et al. "Is it still possible to extend TCP?" Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference. ACM, 2011.

8 TCP Segments on the today s Internet IP TCP Ver IHL ToS Total length Identification Flags Frag. Offset TTL Protocol Checksum Source IP address Destination IP address Source port Destination port Sequence number Acknowledgment number THL Reserved Flags Window Checksum Urgent pointer Options Ver IHL ToS Total length Identification Flags Frag. Offset TTL Protocol Checksum Source IP address Destination IP address Source port Destination port Sequence number Acknowledgment number THL Reserved Flags Window Checksum Urgent pointer Options Payload Payload

9 Potentially miss a lot of middleboxes

10 Outline Middleboxes interference Detect packet modification with ICMP Tracebox Measurements results

11 Traceroute with ICMP in a nutshell IP/TCP Ver IHL ToS Total length Identification Flags Frag. Offset TTL TTL=1 TTL=2 Protocol Checksum Source IP address Destination IP address Source port Destination port Sequence number Acknowledgment number THL Reserved Flags Window Checksum Urgent pointer

12 Traceroute with ICMP in a nutshell IP IP/ICMP type = 11 code = 0 checksum 0 (unused) Ver IHL ToS Total length Use the IP source to identify routers Identification Flags Frag. Offset 1 Protocol Checksum Source IP address Destination IP address Source port Destination port Sequence number

13 Middlebox detection with ICMP Ver IHL ToS Total length Ver IHL ToS Total length Identification Flags Frag. Offset 1 Protocol Checksum Source IP address Destination IP address Source port Destination port Sequence number Compare Identification Flags Frag. Offset 2 Protocol Checksum Source IP address Destination IP address Source port Destination port Sequence number Acknowledgment number THL Reserved Flags Window Checksum Urgent pointer

14 ICMP-based modification detection RFC792 requires ICMP to include only the first 8 bytes of the transport header. Ver IHL ToS Total length Identification In 1995 RFC1812 and in 2007 RFC4884 requires that TTL Protocol Checksum routers should quote the complete original packet. Source port Destination port By default on Linux, Cisco Sequence IOX, number HP routers, Alcatel Acknowledgment number routers, PaloAlto Firewall, etc. THL Reserved Flags Checksum Source IP address Destination IP address Options Flags Frag. Offset Window Urgent pointer Payload

15 80 % of Internet paths contains at least one RFC1812-capable router

16 ICMP detection limitations Similar to traceroute: Filtering of ICMP Routers throttle or does not send ICMP To detect middlebox in front of server, the latter should generate an ICMP.

17 Outline Middleboxes interference Detect packet modification with ICMP Tracebox Measurements results

18 Tracebox Uses the previous mechanism to detect middleboxes. Implemented in C++ with Lua embedded. Libcrafter allows to efficiently describe probes as Scapy. Open source and available at Supports Linux and Mac OSX

19 Tracebox Usage: tracebox [ OPTIONS ] host Options are: -h Display this help and exit -n Do not resolve IP addresses -6 Use IPv6 for static probe generated -u Use UDP for static probe generated -d port Use the specified port for static probe generated. Default is 80. -i device Specify a network interface to operate with -m hops_max Set the max number of hops (max TTL to be reached). Default is 30 -p probe Specify the probe to send. -s script Run a script.

20 Probe definition SYN probe that contains the window scale option ip{} / tcp{flags=0x2,dst=80} / WSCALE IP / TCP / wscale(9) / NOP IPv6/UDP probe with payload IPv6 / udp{dst=5678} / raw( this is a payload ) Multiple options: ip{} / RR(8) / tcp{dst=80} / mss(1400) / WSCALE / TS

21 Output example # tracebox -n -p IP/TCP/MSS/MPCAPABLE/WSCALE bahn.de tracebox to (bahn.de): 64 hops max 1: IP::CheckSum 2: IP::TTL IP::CheckSum 3: IP::TTL IP::CheckSum 4: IP::TTL IP::CheckSum 5: IP::TTL IP::CheckSum 6: IP::TTL IP::CheckSum 7: IP::TTL IP::CheckSum 8: IP::TTL IP::CheckSum 9: IP::TTL IP::CheckSum 10: TCP::CheckSum IP::TTL IP::CheckSum TCPOptionMaxSegSize::MaxSegSize TCPOptionMPTCPCapable -TCPOptionWindowScale

22 Output example # tracebox -n -p IP/TCP/MSS/MPCAPABLE/WSCALE bahn.de tracebox to (bahn.de): 64 hops max 1: IP::CheckSum 2: IP::TTL IP::CheckSum 3: IP::TTL IP::CheckSum 4: IP::TTL IP::CheckSum 5: IP::TTL IP::CheckSum 6: IP::TTL IP::CheckSum 7: IP::TTL IP::CheckSum 8: IP::TTL IP::CheckSum 9: IP::TTL IP::CheckSum 10: TCP::CheckSum IP::TTL IP::CheckSum TCPOptionMaxSegSize::MaxSegSize TCPOptionMPTCPCapable -TCPOptionWindowScale

23 Output example # tracebox -n -p IP/TCP/MSS/MPCAPABLE/WSCALE bahn.de tracebox to (bahn.de): 64 hops max 1: IP::CheckSum 2: IP::TTL IP::CheckSum 3: IP::TTL IP::CheckSum 4: IP::TTL IP::CheckSum 5: IP::TTL IP::CheckSum 6: IP::TTL IP::CheckSum 7: IP::TTL IP::CheckSum 8: IP::TTL IP::CheckSum 9: IP::TTL IP::CheckSum 10: TCP::CheckSum IP::TTL IP::CheckSum TCPOptionMaxSegSize::MaxSegSize TCPOptionMPTCPCapable -TCPOptionWindowScale

24 Outline Middleboxes interference Detect packet modification with ICMP Tracebox Measurements results

25 Measurements Used PlanetLab to perform experiments PlanetLab nodes are supposed to be directly connected to the Internet. Sources: 70 vantage points Destinations: Top 5000 Alexa

26 Some middleboxes randomize the TCP sequence number Seq 42 "A" Seq 1042 "A" Seq 43 "B" Seq 1043 "B" Seq 44 "A" Seq 1044 "B"

27 but does not modify the SACK blocks Seq 42 "A" Seq 1042 "A" Seq 43 "B" Seq 1043 "B" Seq 44 "A" Seq 1044 "B" Ack 43 SACK 1044,1044 Ack 1043 SACK 1044,1044 Missmatch

28 Evaluation of the impact Ack = Ack - Δ TCP Seq Modification 1 % Seq = Seq + Δ Discard Click

29 Linux performance significantly drops

30 Firewall at source modified the MSS

31 Core network also look at the MSS option and modifies it

32 Lessons learned There exists middleboxes that affect performances and network operators are not always aware of them. Tracebox can detect some middleboxes. Tracebox could help network operators to debug their network even better with more routers that are RFC1812-capable.

33 Thank you. Questions?

Packet Header Formats

A P P E N D I X C Packet Header Formats S nort rules use the protocol type field to distinguish among different protocols. Different header parts in packets are used to determine the type of protocol used