Loose Source Routing as a Mechanism for Traffic Policies

Katerina Argyraki and David R. Cheriton

Presented by Thuan Huynh, Robert Patro, and Shomir Wilson

Overview

Background and theory Implementation Applications Related works

Brief Review of LSRR

Loose Source Record Routing (LSRR) is an option in IP.

The sender specifies a list of IP addresses that the datagram must traverse.

The route is “loose”: the datagram can pass through other routers between any two addresses on the list.

LSRR Continued

S R1 R2 R3 Ddest=R1

{#R2, R3, D}dest=R2

{R1, #R3, D}dest=R3

{R1, R2, #D}dest=D

{R1, R2, R3#}

dest=D{#R1, R2, R3}

code len ptr IP addr #1 IP addr #2 IP addr #9. . .

1 1 1 4 bytes 4 bytes 4 bytes

39 bytes

General Format of the IP Source Route Option

Example of IP Source Routing

WRAP: Wide-Area Relay Addressing Protocol

WRAP runs on top of IP and uses loose-source routing, but implements it differently from IP’s LSRR.

WRAP and LSRR are… Similar: A WRAP packet includes a forward

path and a reverse path. Every time a relay on the forward path is traversed, it is moved to the reverse path.

Different: The WRAP header (including the forward and reverse paths) is included as the beginning of the IP payload. The source and destination in the IP header are the next and previous “hops” taken by the packet.

WRAP Advantages Over LSRR Relaying of WRAP packets is easier to

implement in hardware. Filtering of WRAP packets can be done

with conventional wire-speed filters (similar to TCP/UDP-level filters).

LSRR relaying or filtering requires processing the variable-length IP options field, typically requiring the CPU.

Transmit Policies

WRAP enables a node to specify a transmit policy for each packet.

An edge system can compute multiple paths to a destination, monitor them, and choose between them based on QoS needs.

An access router that connects an edge network to the Internet computes paths and choices, or…

The end user (PC application, person) can specify outgoing traffic paths.

Either way, the Internet core becomes purely a forwarding engine.

Receive Policies

WRAP enables a node to specify a receive policy for each packet (accept, block, rate-limit) according to its end-to-end path.

A victim of a DDoS attack can ask routers close to the attack sources to block “bad” traffic from them.

This is implemented with Active Internet Traffic Filtering (AITF), which verifies requests are real: node M cannot disrupt traffic between A and B unless M is on the path between them.

Alternatives to LSRR/WRAP

Transmit policies with labels: edge system tags each packet with a policy label that indicates how it should be routed.

Good: less burdensome on edge systems Bad: each ISP knows only its own internal

performanceReceive policies via hop-by-hop traceback:

requests to rate-limit traffic propagate hop-by-hop upstream.

Good: again, less burdensome Bad: core routers become a filtering

bottleneck

• protocol – The higher layer protocol (UDP, TCP etc.).• length – The number of 32-bit addresses the reverse and forward paths• foffset – The offset into the list of addresses where forward path field starts• reverse path – List of 32-bit addresses corresponding to the end-point and relays already traversed• forward path – List of 32-bit addresses corresponding to the relays and end-point still ahead• data – Contains the higher level (protocol format) packet

protocol length foffset reserved

0-7 8-15 16-23 24-31

reverse path

forward path

data

RELAYING

A B

S D

IP Src: SIP Dst: AFpath: [B,D]Rpath: [ ]

IP Src: AIP Dst: BFpath: [D]Rpath: [S]

IP Src: BIP Dst: DFpath: [ ]Rpath: [S,A]

WRAP: IMPLEMENTATION Name-To-Path Resolution

Wrap requires modification of current DNS Current – DNS maps names to IP addresses Modified – DNS maps names to domain-level paths

How? Each realm gets internal & external DNS server

Internal responds to requests originating inside the realm. Provides mappings from domain names to WRAP paths

External responds to requests originating outside the realm. Provides mappings from domain names to a tuple { global prefix, IP }

Forward Reference (Incremental Deployment) State for WRAPID gateways can be instantiated during

name resolution

WRAP: IMPLEMENTATION Name-To-Path Resolution

A B

S DS: DNS Name Lookup (D)

A: propagates request to B

B: { prefix = P, IP = D }

A: path = [A,B,D]

DESIRABLE PROPERTIES:Limited Path Spoofing

WRAP limits the effectiveness of spoofing by it’s design. Property A: Just as a destination addr. must

be correct for delivery in IP, the forward path must be correct for delivery in WRAP.

A malicious node may still spoof some other node by placing that node’s address in the reverse path.

However, because of property A, the malicious node’s gateway will necessarily appear in the reverse path.

DESIRABLE PROPERTIES:Limited Path Spoofing

A B

C

V

M D

IP Src: AIP Dst: BFpath: [C,D]Rpath: [V]

IP Src: BIP Dst: CFpath: [D]Rpath: [V,A]

IP Src: CIP Dst: DFpath: [ ]Rpath:[ V,A,B]

DESIRABLE PROPERTIES: Low Packet Overhead

WRAP chooses to explicitly include variable length lists of IP addresses in it’s headers.

Seems as though it might introduce much larger headers than a scheme like NIRA, but how bad is it in practice? Mangoni and Pansiot [14], find that AS path distance appears

to have a Gaussian distribution with a mean m, with 3 < m < 4

75% of AS pairs have a path length < 4, and 95% of AS pairs have a path length < 6.

WRAP authors make the conservative assumption that each AS may be a collection of networks behind a NAT. This shifts the distribution average by 2.

Still, 75% of WRAP headers would have a path length < 6 and 95% of WRAP headers would have a path length < 8

Also Mangoni and Pansiot found the “empirical law”: The average distance, diameter and radius of the inter-domain

graph of AS networks stays constant

This “law” holds despite the fact that the # of ASs grew by 40% during the duration of their study

Make IP addresses become routing tags and have NO end-to-end significance

A B

S

D D

[S, B, D][S, A, D]

DESIRABLE PROPERTIES:Address Space

DESIRABLE PROPERTIES:Address Space

Unlike NIRA and other schemes, globally unique addresses are not required: IP addresses must only be unique within

a realm. 4 billion addresses per realm.

Relay addresses specify not just a specific router, but a pair { router, outgoing realm }. This is an artifact of a router’s non-uniqueness in the global address space.

Similarity to IPNL

IPNL is an NAT-extended architecture An address has 10 bytes, consists of

Global IPv4 address Realm number Local IPv4 address

Packets must be routed to global address first, then to the realm, and local address.

WRAPID Gateways

Deploying WRAP is similar to placing every administrative domain behind NAT can be incremental must upgrade routers to WRAP capable hosts can be upgraded or not can support non-WRAP hosts by WRAPID

gateways (WRAP to IP Domain) WRAPID gateways can implement IP

WRAP and WRAP IP translating functionality.

WRAPID Gateways

A B

WRAPID gateway WRAPID gateway

IP Src: SIP Dst: X

S D

IP Src: YIP Dst: D

IP Src: AIP Dst: BFpath: [D]Rpath: [S]

Problems?

Applications

Virtual Private Network Different sites are connected by WRAP

relay nodes Policy-based routing Extended forwarding path check

The source can be verified up to the trusted relay node.

Multicast WRAPsec

Related works

TRIAD (Translating Relaying Internet Architecture integrating Active Directories)

RouteScience RON NIRA (Tuesday) IPNL and IPv4+4

“shim protocol” router upgrade routing information in header

Q & A