UNIVERSITÀ DEGLI STUDI ROMA TRE Dipartimento di Informatica e Automazione Covert Channel for One-Way Delay Measurements Mario Cola Giorgio De Lucia Daria Mazza Maurizio Patrignani Massimo Rimondini 18th International Conference on Computer Communications and Networks (ICCCN) August 4th, 2009

customer site 5 customer site 1 customer site 2 customer site 3 customer site 4 customer Scenario 2ICCCN 2009 ISP (MPLS backbone)

3 Lossy Difference Aggregation [Kompella09] CAIDA reports & traces (CoralReef), Sprint IPMON Ipanema patent, Distributed infrastr. [Arlos05] ICCCN 2009 ActivePassive    State of the Art 1-way measures Intrusive Probes  Accuracy Measurement System Cisco IP-SLA, Juniper RPM, H3C HWPing NLANR AMP, CAIDA Archipelago, OWAMP C API [Harfoush02] IPMP [Luckie02] Pathload [Jain02] Control packets sync, negotiation, aggregate results Probe packets Control packets sync, negotiation, aggregate results Probe packets Traffic sampling Out-of-band ch.   Ideal    

A measurement architecture passive nonintrusive no sampling unaffected by lost or out-of-sequence packets A formal establishment of measurement accuracy Experimental evalution Our Contributions 4ICCCN 2009

We exploit unused bits of the IP header Covert Channel 5ICCCN 2009 data info Embedding covert channels into TCP/IP [Rowland97,Murdoch05] to measure the OWD

customer site 5 customer site 1 customer site 2 customer site 3 customer site 4 6ICCCN 2009 ISP (MPLS backbone)

customer site 5 customer site 1 customer site 2 customer site 3 customer site 4 Architecture 7ICCCN 2009 ISP (MPLS backbone)

Upstream component Measurement Agents 8ICCCN 2009 receive packet directed to same customer? forward packet...a different site of... encode timestamp YES NO store & forward

Downstream component Measurement Agents 9ICCCN 2009 receive packet coming from same customer? forward packet...a different site of... decode timestamp YES NO cut through compute aggregates

QoS between different customers X, Y connected to the same backbone Measurement Agents 10 coming from same customer? directed to same customer? coming from customer Y? directed to customer X?

Usable bits not used by ES for critical functions not altered by IS If customers rule out fragmentation... identification (16 bits) don’t fragment (1 bit) IP* Sec: ESP,  AH v6:  Digging the Covert Channel 11ICCCN 2009 ( ok with MPLS) reserved (1 bit) fragment offset (13 bits) ttl (some of 8 bits) type of service (8 bits)

Minimize (or, at least, watch) error on: Measurement Margin of error Confidence level Measurement Errors 12ICCCN 2009 actual one-way delay computed one-way delay

Measurement Errors: Quantization Error 13ICCCN 2009 (Max) sync offset Measure scale  upstream componentdownstream component quantization error 0 1

Measurement Errors: Saturation Error 14ICCCN Available bits Timestamps represented modulo bits 0 A1A1 A2A2 A3A3 error=0 error=k error=2k 0 A1A1 A2A2 A3A3

e 1 and e 2 are statistically independent A1A1 Measurement Errors: Overall Error 15ICCCN 2009 A1A1 A2A2 A3A3 0

Theorem. Let be such that and is minimized. Then, for we have. Theorem. Let be such that and is minimized. Then, for we have. 1.MAs synchronized with precision 2.User specifies,, and, requesting that 3., 4.Configure MAs with,, and source & destination addresses Measurement Setup (1) 16ICCCN 2009 while guaranteeing that

Measurement Setup (1): Example 17ICCCN 2009 In human words: user requires and estimates that 99.9% of the packets have delay less than 1000ms

Alternative scenario: User provides and and has a constraint on Alternative scenario: User provides,, and Requirements are satisfied if Measurement Setup (2) 18ICCCN 2009

Experimental Setup 19ICCCN 2009 Spirent SmartBits SMB600B Fujitsu Siemens Primergy RX300 Dual Quad-Core Intel Xeon 5000, 8GB RAM 2 dual-port GE NICs Netem GE

14,000 packets of 896 bytes each bandwidth utilization: 70% variable delays (uniform distribution) and guarantee on the delay deduced by the network impairment configuration Experiment 1: Validation 20ICCCN 2009 input

Exp. ID Delay (ms) T (  s) B Freq. e>T 1 30  Experiment 1: Validation Exp. ID Delay (ms) T (  s) B Freq. e>T  limited by transmission delay of the downstream component transmission delay of the downstream component

Experiment 2: Performance nic queue saturation owd downstream component Delay: 60  10ms Meas. time span: 20s Delay: 60  10ms Meas. time span: 20s

Experiment 2: Performance 23ICCCN 2009 Bandwidth: 90%

Experiment 3: Latency No network impairment Delays collected by SMB No network impairment Delays collected by SMB switching overhead

No network impairment 100% bandwidth utilization Varying packet size (until first dropped) With disabled MAs: With enabled MAs: 5.24% reduction Experiment 4: Throughput 25ICCCN bytes long 476 bytes long 265,957 pkts/s 252,016 pkts/s

Conclusions and Future Work 26ICCCN 2009 Take away IP covert channel for OWD measurements is feasible Formal analysis of measurement errors What next Different techniques to exploit the covert channel Different kinds of measurements