Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2014 UZH, chkroute – A tool for route compliance analyisis Daniel Dönni 1 1 Department of Informatics IFI, Communication Systems Group CSG, University.

Published byHeather Florence Hampton Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2014 UZH, chkroute – A tool for route compliance analyisis Daniel Dönni 1 1 Department of Informatics IFI, Communication Systems Group CSG, University."— Presentation transcript:

1 © 2014 UZH, CSG@IFI chkroute – A tool for route compliance analyisis Daniel Dönni 1 1 Department of Informatics IFI, Communication Systems Group CSG, University of Zürich UZH doenni@ifi.uzh.ch Zürich, ZH, November 18, 2014

2 © 2014 UZH, CSG@IFI Introduction  The Snowden affair revealed that a significant amount of Internet traffic was being intercepted by intelligence agencies  One possible countermeasure suggested by European politicians was to introduce ‘Schengen Routing’.  ‘Schengen Routing’ refers to the idea of ensuring that traffic exchanged between two hosts located in the Schengen zone does not leave the zone.

3 © 2014 UZH, CSG@IFI Introduction II  Research trying to quantify the amount of traffic that leaves the Schengen area is limited.  According to [1], the number of routes amounts to 0% - 35%.  A tool which allows the end-user to verify whether a route leaves the Schengen zone does not exist yet.  chkroute is the first tool specifically designed for Schengen routing compliance checking.

4 © 2014 UZH, CSG@IFI Related Work  The only work which specifically addresses Schengen routing is [1]. It suggests that –0% (Iceland) - 35% (Belgium) of routes headed for Schengen leave the zone. –Switzerland ranks 3 rd (23%) among all Schengen countries. –The work is based on BGP tables and Maxmind data [5]  Relevant topics with respect to Schengen routing are –Network topology discovery –Geolocation of IP addresses

5 © 2014 UZH, CSG@IFI Related Work II (Topology Discovery)  Network topology discovery –Layer 2: Physical Connectivity, e.g. Ethernet [2], [4] –Layer 3: Can be subdivided into 4 areas [3] 1. IP Interface Level 2. Router Level (after alias resolution) 3. PoP Level (Groups PoPs) 4. AS Level (Groups ASs) –Layer 3+: Overlay networks, e.g. P2P [3]  Broad range of research available –Practical: Development of tools –Theoretical: Mathematical models

6 © 2014 UZH, CSG@IFI Related Work II (Geolocation)  Geolocation –Mechanisms that try to find the geographic location of an IP address. –There are two main approaches [6] Active: Latency driven Passive: Database driven –A major problem: Accuracy of the data Less than 20% are within 10km of actual position [6] 80% deviate between 100km – 1000km [6] Substantial improvements using the location of University campus locations (Median deviation: 690m) [7]

7 © 2014 UZH, CSG@IFI chkroute Demo  chkroute is a tool developed to verify routing compliance  Brace for demo…

8 © 2014 UZH, CSG@IFI chkroute Architecture

9 © 2014 UZH, CSG@IFI chkroute Process I 1 1. Running traceroute towards target server

10 © 2014 UZH, CSG@IFI chkroute Process II 2 2. Running query against compliance DB

11 © 2014 UZH, CSG@IFI chkroute Process III 3 3. Evaluating result

12 © 2014 UZH, CSG@IFI Selected Issues  Definition of the location of Schengen –Possibility 1 “An IP address is considered to be in Schengen, if the host owning the respective NIC is geographically located in Schengen.“ Problem: What if packets are forwarded by a backbone provider which has PoPs in Schengen but is operated outside Schengen? –Possibility 2 “An IP address is considered to be in Schengen, if the host owning the respective NIC is owned by a company headquartered in Schengen. Problem: Is there reliable corporate information available? Problem 2: What if a large backbone provider has a subsidiary in Schengen. Should it count as a Schengen company?

13 © 2014 UZH, CSG@IFI Questions  Questions?

14 © 2014 UZH, CSG@IFI References [1] N. Pohlmann, Secure Communication and Digital Sovereignty in Europe, ISSE 2014 Securing Electronic Business Processes, 2014 [3] B. Donnet et al., “Internet Topology Discovery: A Survey”, IEEE Communications Surveys & Tutorials, 4th Quarter 2007 [4] Y. Breitbart et al., “Topology Discovery in Heterogeneous IP Networks,” Proc. IEEE INFOCOM, Mar. 2000 [5] Maxmind, http://www.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP, dat.gz. Last access: 9.11.2014. [6] I. Poese, IP Geolocation Databases: Unreliable?, ACM SIGCOMM Computer Communication Review, Volume 41, Number 2, April 2011 [7] Y. Wang, Towards Street-Level Client-Independent IP Geolocation, Usenix, 2011

Download ppt "© 2014 UZH, chkroute – A tool for route compliance analyisis Daniel Dönni 1 1 Department of Informatics IFI, Communication Systems Group CSG, University."

Similar presentations

Dude, where’s that IP? Circumventing measurement-based IP geolocation Presented by: Steven Zittrower.

Dude, where’s that IP? Circumventing measurement-based IP geolocation Presented by: Steven Zittrower.
ECE 5970 02/24/2005 A Survey on Position-Based Routing in Mobile Ad-Hoc Networks Alok Sabherwal.

ECE /24/2005 A Survey on Position-Based Routing in Mobile Ad-Hoc Networks Alok Sabherwal.
Internetworking II: MPLS, Security, and Traffic Engineering

Internetworking II: MPLS, Security, and Traffic Engineering
Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.

Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.
Helper Protocols Protocols that either make it easier for IP to do its job, or extend the capabilities of the network layer.

Helper Protocols Protocols that either make it easier for IP to do its job, or extend the capabilities of the network layer.
Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts.

Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts.
The Application Layer Chapter 7. Where are we now?

The Application Layer Chapter 7. Where are we now?
Module 10: Routing Fundamentals and Subnets 10.2.9 Small Router Purchase Subnetting Example 10.3.5a Basic Subnetting 10.3.5b Subnetting a Class A Network.

Module 10: Routing Fundamentals and Subnets Small Router Purchase Subnetting Example a Basic Subnetting b Subnetting a Class A Network.
William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Internetworking.

William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Internetworking.
1 A survey of Internet Topology Discovery. 2 Outline Motivations Internet topology IP Interface Level Router Level AS Level PoP Level.

1 A survey of Internet Topology Discovery. 2 Outline Motivations Internet topology IP Interface Level Router Level AS Level PoP Level.
Chapter 6 Network Address Translation (NAT). Network Address Translation  Modification of source or destination IP address  Needed by networks using.

Chapter 6 Network Address Translation (NAT). Network Address Translation  Modification of source or destination IP address  Needed by networks using.
Introduction to Management Information Systems Chapter 5 Data Communications and Internet Technology HTM 304 Fall 07.

Introduction to Management Information Systems Chapter 5 Data Communications and Internet Technology HTM 304 Fall 07.
1 Last Class! Today: r what have we learned? r where is the networking world going? r question and answers r evaluation.

1 Last Class! Today: r what have we learned? r where is the networking world going? r question and answers r evaluation.
CS335 Networking & Network Administration Tuesday April 27, 2010.

CS335 Networking & Network Administration Tuesday April 27, 2010.
Web and Internet Part I ST: Introduction to Web Interface Design Prof. Angela Guercio Spring 2007.

Web and Internet Part I ST: Introduction to Web Interface Design Prof. Angela Guercio Spring 2007.
Measuring ISP topologies with Rocketfuel Ratul Mahajan Neil Spring David Wetherall University of Washington ACM SIGCOMM 2002.

Measuring ISP topologies with Rocketfuel Ratul Mahajan Neil Spring David Wetherall University of Washington ACM SIGCOMM 2002.
A Guide to major network components

A Guide to major network components
Cellular IP: Proxy Service Reference: “Incorporating proxy services into wide area cellular IP networks”; Zhimei Jiang; Li Fung Chang; Kim, B.J.J.; Leung,

Cellular IP: Proxy Service Reference: “Incorporating proxy services into wide area cellular IP networks”; Zhimei Jiang; Li Fung Chang; Kim, B.J.J.; Leung,
Virtual Private Network

Virtual Private Network
Module 4 - Networking MIS5122: Enterprise Architecture for the IT Auditor.

Module 4 - Networking MIS5122: Enterprise Architecture for the IT Auditor.

Similar presentations

Ads by Google