Desperately Seeking Default

Slides:



Advertisements
Similar presentations
CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Advertisements

CSC458 Programming Assignment II: NAT Nov 7, 2014.
10: ICMPv6 Neighbor Discovery
Measuring IPv6 Geoff Huston APNIC Labs, February 2014.
CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Enabling IPv6 in Corporate Intranet Networks
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
CSE331: Introduction to Networks and Security Lecture 8 Fall 2002.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
IPv6 Background Radiation Geoff Huston APNIC R&D.
Chapter 5 The Network Layer.
MOBILITY SUPPORT IN IPv6
Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.
Examining IP Header Fields
TCP/IP Basics A review for firewall configuration.
Allocations vs Announcements A comparison of RIR IPv4 Allocation Records with Global Routing Announcements Geoff Huston May 2004 (Activity supported by.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
1 CMPT 471 Networking II ICMP © Janice Regan, 2012.
Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September The purpose.
Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.
© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Network Layer ICMP and fragmentation.
Lab 5: NAT CS144 Review Session 7 November 13 th, 2009 Roger Liao.
9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.
Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.
PA3: Router Junxian (Jim) Huang EECS 489 W11 /
Measuring IPv6 Deployment Geoff Huston George Michaelson
Lecture 4: BGP Presentations Lab information H/W update.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
TCOM 515 IP Routing. Syllabus Objectives IP header IP addresses, classes and subnetting Routing tables Routing decisions Directly connected routes Static.
BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk
IP addresses IPv4 and IPv6. IP addresses (IP=Internet Protocol) Each computer connected to the Internet must have a unique IP address.
Internet Protocols. ICMP ICMP – Internet Control Message Protocol Each ICMP message is encapsulated in an IP packet – Treated like any other datagram,
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 9: Dynamic Host Configuration Protocol (DHCP)
Lecture 21: Network Primer 7/9/2003 CSCE 590 Summer 2003.
Scaling the Network: Subnetting and Other Protocols
CSC458 Programming Assignment II: NAT
NAT – Network Address Translation
Scaling the Network Chapters 3-4 Part 2
Original slides prepared by Theo Benson
Optimising Streaming Systems with SDN/P4/NetFPGA
More Specific Announcements in BGP
Measuring IPv6 Performance
Measuring IPv6 ISP Performance
Border Gateway Protocol
ICMP ICMP – Internet Control Message Protocol
Introduction to Networking
Are we there yet? Measuring iPv6 in 2016
Introducing To Networking
IPv6 Performance (revisited)
Firewall Exercise.
Chapter 4: Access Control Lists (ACLs)
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
* Essential Network Security Book Slides.
IPv6: Are we really ready to turn off IPv4?
CIS 82 Routing Protocols and Concepts Chapter 11 NAT
TCP/IP Networking An Example
More Specific Announcements in BGP
Unit 3 Mobile IP Network Layer
An Update on Multihoming in IPv6 Report on IETF Activity
Scaling the Network: Subnetting and Other Protocols
Chapter 11: Network Address Translation for IPv4
Refs: Chapter 10, Appendix A
IPv6 Reliability Measurements
DHCP: Dynamic Host Configuration Protocol
Session 20 INST 346 Technologies, Infrastructure and Architecture
IPv6 Performance Measurement
Chapter 4: outline 4.1 Overview of Network layer data plane
Presentation transcript:

Desperately Seeking Default Geoff Huston APNIC

In the Telephone Network All telephones were equally reachable Anyone could dial anyone else

In the Telephone Network Internet In the Telephone Network Are all connected endpoints equally reachable? Can anyone can reach anyone else?

In the Telephone Network Internet In the Telephone Network Are all connected endpoints are equally reachable? Can anyone can reach anyone else? No!

In the Telephone Network Internet In the Telephone Network Are all connected endpoints are equally reachable? Can anyone can reach anyone else? No! NATs and Firewall Filters changed our conception of the Internet from a peer-to-peer network to a limited client/server architecture. Our current expectations are that if you stand up a public service on port 80 (or 443 for that matter) outside of a NAT, then maybe everyone can reach you, but otherwise, no.

In the Telephone Network Internet In the Telephone Network All connected endpoints are equally reachable Can anyone can reach anyone else?

In the Telephone Network Internet In the Telephone Network All connected endpoints are equally reachable Can anyone can reach anyone else? We might THINK this, but is it true ALL the time?

What do we see? On the Internet is everyone really connected to everyone else?

How We See We use an online ad to present a sequence of small fetches to the user’s browser

How We See The sequence of tests is used to test a number of types of actions including fetches of IPv4, IPv6 and Dual stack

How We See We use tcpdump to record all packet activity at the experiment’s servers

What we see: Connection Failure Outbound SYN client server Busted SYN ACK Return path What the server sees is an incoming SYN, but no matching incoming ACK

Daily IPv6 Failures 6to4 failure: around 10% Average IPv6 failure: around 2% Unicast IPv6 failure: around 1.5%

Daily IPv6 Unicast Address Failures 1.5% failure rate

IPv6 Failures 1.5% failure for unicast V6 is unacceptable! Why is this happening Auto-tunnelling? Lousy CPE firmware? Strange firewall filters? But is all of this due to local configuration / equipment? What is the comparable view in IPv4?

IPv4 Connection Failure 0.2% failure rate

IPv4 Failures IPv4 failures are around 1 in 500 And we are pretty sure its NOT: Auto-tunnelling Lousy CPE firmware Strange firewall filters So what is the reason for this residual asymmetric failure rate? Is it asymmetric routing connectivity?

Route Views Routing Table

25 Years of Routing the Internet This is a compound view pulled together from each of the IPv4 routing peers of Route Views and RIS

IPv4 - 2015/16 IPv4 Route Views + RIS This is a view pulled together from each of the routing peers of Route Views and RIS That’s a range of 100,000 routes!

Different peers see a slightly different Internet But is this just traffic engineering more specifics? Or do different peers see a different set of reachable addresses in the routing table?

Address Span (Route Views + RIS data sets)

Address Span (Route Views + RIS data sets) 15 M Addresses

What does this mean? Each peer of RouteViews and RIS announces a span of addresses that appears to be a unique span. In total, these spans agree with other to within ~20M addresses, but this means that there are potentially some 20M uniquely addressed endpoints that cannot be reached from all other endpoints. This variation is stable over time for each peer, so its not transient routing that is generating this – the reasons for this difference in reachability are structural

What about IPv6?

The Route Views view of IPv6 World IPv6 Day IANA IPv4 Exhaustion

Number of IPv6 Routes in 2015/16 That’s a range of 2,300 routes!

IPv6 Announced Address Span Variation (RV + RIS)

IPv6 Announced Address Span Variation (RV + RIS)

What is “default”? We don’t know! There is no “default” route set that we can all agree on

What is “default”? At best “default” is an informal quorum So lets define this quorum by arbitrarily setting the quorum threshold at 2/3 i.e. if 2/3 of the peers of a route collector advertise a route then it is part of the default quorum. Individual peer networks will contain route sets that differ from this quorum by having both additional prefixes and holes. Lets look at the variance from the quorum

A “Quorum” deviation view of IPv4

A magnified view

IPv6 “Quorum” Deviation

Zooming In

And Again

Quorum Deviation for RVA IPv4 Peers (18th August 2016)

Quorum Deviation for RIS IPv4 Peers

Quorum Deviation: IPv6, RVA

Quorum Deviation: IPv6, RIS

It’s structural, not temporal There is a visible stability to this deviation from the quorum route set The variation from the quorum is long–term stable, and does not rapidly self-correct – its not a transient routing state We appear to assume that all Tier 1 providers, and their Tier 2, 3, … resellers offer the same reachability set as each other – i.e. ”default” is consistent everywhere But this is not necessarily the case all the time for every address in the routing system “Default” appears to vary by provider and by location E.g.: 25 April, 1600 UTC: AS2914: RouteViews 2,808,560,896 addresses RIS: 2,807,358,208

”Default” is a market outcome There is no ”global route arbiter” There is no way to enrol a route into a global Internet default route set There is no single common definition of “default” Instead ”default” is a market outcome You buy default from a transit You hope your transit is offering you what it promised – but you just can’t tell You add your route to default via a transit You hope that this will propagate reachability tp your network to all parts of the Internet – but you just can’t tell

So What? Surely all this is patched up by the widespread use of a routing default entry in addition to specific routes? (*) * Internet Optometry: Assessing the Broken Glasses in Internet Reachability”, R. Bush, O. Maennel, M. Roughan, S Uhlig, ACM SIGCOMM IMC, 2009

So What? Surely all this is patched up by the widespread use of a routing default entry in addition to specific routes? Well, not really Default points along upstream transits It does not patch downstreams Route to B not propagated on this connection Packet from B to A follows explicit route A B Packet from B to A follows default and then dropped

To Recap: What is causing this?

To Recap: What is causing this? Could part of this be due to connectivity failure?

Can we confirm this? Outbound SYN client server

Can we confirm this? Outbound SYN client server SYN ACK Return path

Can we confirm this? Outbound SYN Busted SYN ACK Return path client router server Busted SYN ACK Return path

Can we confirm this? Outbound SYN Busted SYN ACK Return path client router server Busted SYN ACK Return path ICMP Dest Unreachable

Can we confirm this? Outbound SYN client router server Busted SYN ACK Return path ICMP Dest Unreachable What the server sees is an incoming SYN, and then an ICMP destination unreachable

And we do see this … here’s an example 14:16:05.999497 IP (tos 0x0, ttl 55, id 31005, offset 0, flags [none], proto ICMP (1), length 80) 84.41.108.74 > 139.162.146.97: ICMP host 46.163.63.47 unreachable, length 60 Outer packet is an ICMP Packet with a “destination unreachable” code sent to the server from the router at address 84.41.108.74

And we do see this … here’s an example 14:16:05.999497 IP (tos 0x0, ttl 55, id 31005, offset 0, flags [none], proto ICMP (1), length 80) 84.41.108.74 > 139.162.146.97: ICMP host 46.163.63.47 unreachable, length 60 Outer packet is an ICMP Packet with a “destination unreachable” code sent to the server from the router at address 84.41.108.74 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto TCP (6), length 52) 139.162.146.97.443 > 46.163.63.xx.52087: Flags [S.], cksum 0x5130 (correct), seq 3917125220, ack 685287936, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 Payload packet is a SYN+ACK packet

In the Telephone Network Internet In the Telephone Network All connected endpoints are equally reachable Anyone can reach anyone else Almost most of the time! almost

In the Telephone Network Internet In the Telephone Network All connected endpoints are equally reachable Anyone can reach anyone else Almost most of the time! almost As long as all the feeder access networks can connect to Facebook, Google, Netflix, Ebay, Amazon,… then nobody seems to care enough any more to be motivated to fix this What we now have in 2016 is a tier 1 CDN feeder system. The internet is no longer a true uniquitous fully connected peer network, and our collective care factor about that is pretty low~ And that makes me sad!

Thanks!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.