Yarrp’ingtheIPv6Internet

EricGastonRobertBeverly

NavalPostgraduateSchool

AIMS2017March2,2017

IPv6ActiveTopologyDiscovery

• Goal:DiscoverIPv6Internet’sinterface-leveltopology• But,completenessisachallengewith2128 (~3.4X1038)

uniqueaddresses• And,ratelimitinginIPv6ismoreaggressivethaninIPv4• Currentstate-of-the-art:scansmallnumberofprefixes

slowly.

IPv6TopologyMappingToday

CAIDAIPv6TopologyProbing

• Sendprobestowardeachgloballyannounced/48orshorterprefixonceevery48hours

• 37,797prefixesasofFebruary12,2017• From46globallydistributedArkVP• EachVPscampericmp-paris traceroutes toward::1

andarandomaddressineachprefixes.

Rohreretal: IPv6Scans

• UsedArk• Largestscantodateprobing~406millionprefixes• (Datapubliclyavailable)• Traceroute tothe::1ineach/48inall/32’s• Scantook4monthstocomplete(Nov14– Mar15)• Currentroutingtablecontains~536millionprefixes• Increaseof32%in2years

Foremski etal:Entropy/IP

• IMC2016studytofindactiveportionsofIPv6Internet

• CombinesinformationtheoryandmachinelearningtoprobabilisticallymodelIPv6addresses

• Abilitytogeneratecandidateaddresslistforactivescanningcanbeusedtoreducethetargetspace

WhyismappingIPv6Important?

• IPv6Topologymappingcrucialto:• Security• Policy• Research

• IPv6usehasdoubledeveryyearsince2012• Measurementcommunityneeds:• BettervisibilityintoIPv6topology• Bettertools

Ourapproach:Yarrp6

WhatisYarrp?

• Anewhigh-speed stateless traceroutetechnique(IMC2016demonstratestopo discovery@100Kpps)

• ReconstructsstatesfromdataencodedinIPandTCPheadersofICMPquotation

• CurrentlyonlysupportsIPv4andTCPprobes• (Presentlyworkingw/CAIDAtodeployinproduction)

https://www.cmand.org/yarrp/

WhatisYarrp6?

• Yarrp6isaportofYarrp forIPv6• Alsostatelessandrandomized• Butencodesstateinadifferentmanner• MaintainsParistraceroutemethodforallscan• AddsthecapabilitytodoICMPv6andUDPscansas

wellastheTCPSYNandTCPACKprovidedbyYarrp

PortingYarrp toIPv6

• ExtendingYarrp toIPv6isnotatrivialtask• Issues:• Howtoencodestate• Yarrp permutationlibrary’s32-bitblocksizetoo

smallforIPv6• RawsocketsinIPv6donotallowforfullcontrol

ofpacketheaders• Rate-LimitingofICMPv6errormessages• UnabletodetectresponsestoTCPprobesfrom

targets

InitialExperiments

• SoughttovalidateandcompareYarrp tocurrentstate-of-the-art:• RecallofYarrp6vs.CAIDAv6probecycle• SpeedofYarrp6vs.CAIDAv6probecycle

• ComparedusingCAIDA’sIPv6datafromsan-usVPscansdoneonFebruary12,2017

• Sametargetlistcontaining75,594addresses

Yarrp6vs.CAIDA(cont.)

RateLimitingofIPv6

• “anIPv6nodeMUSTlimittherateofICMPv6errormessagesitoriginates.”– RFC4443

• Wedidobserverate-limitingonIPv6• Hops1-4accountedfor~75%ofallmissing

hops• Only57uniqueaddressesmissingfromthese

hop

ComparisonofTransportProtocols

• Usedyarrp6tocompareprobeprotocol• ComparisonofTransportProtocolonforwardIP

pathinference.• UsedICMPv6,UDP,TCPSYN,andTCPACKParis

tracerouteprobes• 3metricsusedforcomparison:• DestinationReached• CompletePaths• UniqueIPLinks

ComparisonofTransportProtocols(cont.)

Probe Method UniqueInterface DestinationsReached CompleteIPPaths UniqueIPLinks

ICMPv6 45,706 9,535 3,562* 57,667

UDP 34,567 4,455 1,776* 37,514

TCP SYN 34,879 N/A# N/A# 37,655

TCPACK 35,178 N/A# N/A# 38,262

*Hop3skippedindeterminationofcompletepath#UnabletoretrieveencodedinformationfromTCPresponses

FutureWork

• Workingw/DavePlonka:UseEntropy/IPtogeneratetargetlistforYarrp6toscan.

• ComparisonofYarrp6tolargerdatasetsuchasRohreretal.dataset

• RunningscansinrapidsuccessiontoallowforstudyintodynamicsofIPv6Internet.

• Yarrp availablenow;Yarrp6realsoonnow.Contactustobeta!

https://www.cmand.org/yarrp/

Questions?

https://www.cmand.org/yarrp/