260 likes | 406 Views
Covert Channel for One-Way Delay Measurements. Mario Cola Giorgio De Lucia Daria Mazza Maurizio Patrignani Massimo Rimondini. 18th International Conference on Computer Communications and Networks (ICCCN) August 4th, 2009. CE . PE . PE . CE . CE . CE . PE . PE . PE . CE .
E N D
Covert Channel for One-Way Delay Measurements Mario Cola Giorgio De Lucia Daria Mazza Maurizio Patrignani Massimo Rimondini 18th International Conference on Computer Communications and Networks (ICCCN) August 4th, 2009
CE PE PE CE CE CE PE PE PE CE customer site 2 Scenario customer site 3 customer site 1 ISP (MPLS backbone) customer customer site 4 customer site 5 ICCCN 2009
State of the Art • Control packets • sync, negotiation, aggregate results • Probe packets Cisco IP-SLA, Juniper RPM, H3C HWPing Ipanema patent, Distributed infrastr. [Arlos05] C API [Harfoush02] IPMP [Luckie02] Pathload [Jain02] NLANR AMP, CAIDA Archipelago, OWAMP CAIDA reports & traces (CoralReef), Sprint IPMON Lossy Difference Aggregation [Kompella09] ICCCN 2009
Our Contributions • A measurement architecture • passive • nonintrusive • no sampling • unaffected by lost orout-of-sequence packets • A formal establishmentof measurement accuracy • Experimental evalution ICCCN 2009
Covert Channel • We exploit unused bits of the IP header info Embedding covert channels into TCP/IP [Rowland97,Murdoch05] data data to measure the OWD ICCCN 2009
CE CE PE PE CE CE PE PE PE CE customer site 2 customer site 3 customer site 1 ISP (MPLS backbone) customer site 4 customer site 5 ICCCN 2009
CE PE PE PE PE CE CE CE PE CE customer site 2 Architecture customer site 3 MA customer site 1 MA ISP (MPLS backbone) MA MA MA customer site 4 customer site 5 ICCCN 2009
CE Measurement Agents • Upstream component MA receive packet store & forward MA ...a different site of... directed to same customer? encode timestamp YES NO forward packet ICCCN 2009
Measurement Agents • Downstream component MA receive packet cut through ...a different site of... coming from same customer? decode timestamp YES NO compute aggregates forward packet ICCCN 2009
Measurement Agents • QoS between different customers X, Y connected to the same backbone MA directed to same customer? directed to customer X? coming from same customer? coming from customer Y?
Digging the Covert Channel • Usable bits • not used by ES for critical functions • not altered by IS • If customers rule out fragmentation... • identification (16 bits) • don’t fragment (1 bit) • IP* • Sec: ESP, AH • v6: (ok with MPLS) • reserved (1 bit) • fragment offset (13 bits) • ttl(some of 8 bits) • type of service(8 bits) ICCCN 2009
Measurement Errors • Minimize (or, at least, watch) error on: • Measurement • Margin of error • Confidence level actual one-way delay computed one-way delay ICCCN 2009
2 ad Measurement Errors:Quantization Error • (Max) sync offset • Measure scale 1 0 0 0 quantization error upstream component downstream component ICCCN 2009
Measurement Errors:Saturation Error • Available bits • Timestamps representedmodulo bits 0 0 0 0 0 1 1 1 1 1 error=k error=0 0 0 0 0 0 error=2k ICCCN 2009 A1 A1 • A2 A2 A3 • A3 0 0
Measurement Errors:Overall Error • e1 and e2 are statistically independent • A1 • A2 • A3 • A1 0 ICCCN 2009
Measurement Setup (1) • MAs synchronized with precision • User specifies , , and , requesting that • , • Configure MAs with , , and source & destination addresses while guaranteeing that Theorem. Let be such that and is minimized. Then, for we have . ICCCN 2009
Measurement Setup (1):Example • In human words:user requiresand estimates that 99.9% of the packets have delay less than 1000ms ICCCN 2009
Measurement Setup (2) • Alternative scenario: • User provides and and has a constraint on • Alternative scenario: • User provides , , and • Requirements are satisfied if ICCCN 2009
Experimental Setup GE Traffic generator & analyzer MA1(upstream component) tg_ge0 ma1_ge0 Network impairment GE ni_ge0 ma1_ge1 Spirent SmartBits SMB600B Fujitsu Siemens Primergy RX300 Dual Quad-Core Intel Xeon 5000, 8GB RAM 2 dual-port GE NICs MA2(downstream component) ni_ge1 ma2_ge0 GE ma2_ge1 Netem tg_ge1 GE ICCCN 2009
Experiment 1:Validation • 14,000 packets of 896 bytes each • bandwidth utilization: 70% • variable delays(uniform distribution)and • guarantee on the delaydeduced by the networkimpairment configuration input ICCCN 2009
Experiment 1:Validation P=0.001 transmission delay of the downstream component limited by transmission delay of the downstream component
Experiment 2:Performance owd computed @ downstream component Delay: 6010ms Meas. time span: 20s nic queue saturation
Experiment 2:Performance Bandwidth: 90% ICCCN 2009
CE Experiment 3:Latency • No network impairment • Delays collected by SMB switching overhead MA
Experiment 4:Throughput • No network impairment • 100% bandwidth utilization • Varying packet size (untilfirst dropped) • With disabled MAs: • With enabled MAs: • 5.24% reduction 265,957 pkts/s • 450 bytes long 252,016 pkts/s 476 bytes long ICCCN 2009
Conclusions and Future Work • Take away • IP covert channel for OWD measurements is feasible • Formal analysis of measurement errors • What next • Different techniques to exploit the covert channel • Different kinds of measurements ICCCN 2009