CS 525 – Network Security Spring 2012 Instructor Craig Shue, Ph.D. [email protected].
David Malone ... - pam2008.cs.wpi.edupam2008.cs.wpi.edu/slides/malone.pdf · • Mostly full...
23
Observations of IPv6 Addresses David Malone <[email protected]> Hamilton Institute, NUI Maynooth, Ireland. 28 April 2008 1
Transcript of David Malone ... - pam2008.cs.wpi.edupam2008.cs.wpi.edu/slides/malone.pdf · • Mostly full...
Observations of IPv6 Addresses
David Malone <[email protected]>
Hamilton Institute, NUI Maynooth, Ireland.
28 April 2008
1
IPv6 Chat
• IPv6 talks mention NAT, CIDR and 2128 addrs.
• NAT means you get more addresses.
• CIDR means you get more networks.
• 1000 hosts per gram of earth with HD = 0.8.
2
IPv6 More Expressive?
• This means something for IPv6 addresses.
• No NAT: can see end host address.
• Standard(-ish) boundries at /64 (and /48).
• Many addresses facilitates logical assignment.
3
Some examples
• 2001:0770:0010:0300:0000:0000:86e2:510b
• 2001:770:10:300:0:0:86e2:510b
• 2001:770:10:300::86e2:510b
• 2001:770:10:300::134.226.81.11
• fe80::21e:52ff:fec8:84b2
4
Plan
• Automate assignment of attributes.
• Collect sets of IPv6 addresses.
• See what patterns of usage look like.
• Datasets: mirror server, .ie ccTLD server,
traceroute6.
5
Previous IPv6 Work
• CAIDA: topology measurements.
• Huston/Doring/Massar: BGP routing studies.
• Savola/Kei/Yamazaki: 6to4 traffic.
• WIDE: Traffic data collection.
• Cho/Luckie/Huffaker: IPv4/IPv6 relative
performance.
• Bieringer: ipv6calc.
6
Observing Network Part
• Like IPv4: registry based.
• Global addresses to RIRs.
• Also: 6bone, 6to4, teredo.
• Special addresses: loopback, unspec.
• Special blocks: mapped, ULA, link-local, site-local,
multicast.
7
Observing Host Part
• Autoconf: look for ff:fe and set bit.
• ISATAP: Look for 0[02]00 and 5efe.
• v4based: last 32 bits look like v4 address.
• low: only low byte set.
• wordy: feed:deb:dead:c0de
• privacy: few words and large numbers.
8
Words
00ad 00ba 00be 00d0 00da 00ed 0ace 0ada 0add 0ade 0b00 0b0a 0b0b 0baa 0bad 0bea 0bed
0bee 0c00 0c0b 0c0d 0cab 0d0b 0d0c 0d0d 0d0e 0dab 0dad 0deb 0dee 0ebb 0f00 0f0b 0f0d
0f0e 0fad 0fae 0fed 0fee abba b00b b0b0 b0de baba babe bade baff bead beef c0c0 c0ca c0d0
c0da c0de c0ed c0ff cafe cede d00b d0d0 d0de dada dead deaf deed f00d f0ad face fade faff
feed 1337 0000 1111 2222 3333 4444 5555 6666 7777 8888 9999 aaaa bbbb cccc dddd eeee
ffff 00ff abab
9
Privacy
• have the 6th bit clear,
• have between 27 and 35 set bits,
• first half has between 9 and 21 set bits,
• second half has between 10 and 22 set bits,
• must not have two or more ‘words’.
1
263
∑
9≤i≤21,10≤j≤22
27≤i+j≤35
(
31
i
)(
32
j
)
≈ 0.7335. (1)
10
Dataset: ftp.heanet.ie
• Busy mirror server (sourceforge, Linux distros,
putty,)
• Data from Dec 2003 to Aug 2007: over 1300 days.
• Mostly full Combined log file format.
• Some gaps — how to normalise?
11
1
10
100
1000
10000
100000
1e+06
1e+07
Jul 03 Jan 04 Jul 04 Jan 05 Jul 05 Jan 06 Jul 06 Jan 07 Jul 07 Jan 08
Num
ber
of a
cces
ses
IPv6 hitsIPv4 hits
IPv4 hits (interpolated)
12
0
5000
10000
15000
20000
25000
30000
35000
0 1e+06 2e+06 3e+06 4e+06 5e+06 6e+06 7e+06 8e+06
Num
ber
of IP
v6 a
cces
ses
Number of IPv4 accesses
per day access breakdown
13
Results: Prefix
0.0001
0.001
0.01
0.1
1
Jul 03 Jan 04 Jul 04 Jan 05 Jul 05 Jan 06 Jul 06 Jan 07 Jul 07 Jan 08
Fra
ctio
n of
per
-mon
th d
istin
ct IP
v6 a
ddre
sses
6bone6to4
globalteredo
14
Results: Global by RIR
0.0001
0.001
0.01
0.1
1
Jul 03 Jan 04 Jul 04 Jan 05 Jul 05 Jan 06 Jul 06 Jan 07 Jul 07 Jan 08
Fra
ctio
n of
per
-mon
th d
istin
ct g
loba
l IP
v6 a
ddre
sses
APNICARIN
AfriNICLACNIC
RIPE
15
Results: Host ID
0.0001
0.001
0.01
0.1
1
Jul 03 Jan 04 Jul 04 Jan 05 Jul 05 Jan 06 Jul 06 Jan 07 Jul 07 Jan 08
Fra
ctio
n of
per
-mon
th d
istin
ct IP
v6 a
ddre
sses
manufacturer autoconfffffffff autoconfother autoconf
teredoISATAPv4based
privacyrandom
lowwordy
unidentifyed
16
Following Hosts
• 38495 different autoconf host IDs.
• 3304 in more than one subnet.
• Tend to be 6to4 prefixes.
• Only 148 moved more times than seen.
• Three moved regularly: 46652, 26107 and 2598.
• Looks like multihoming.
17
IEDR Data
• Two months of data from ccTLD.
• Server both IPv4 and IPv6.
• Only IPv6 analysed.
18
Results:IEDR2007-4
low
random
teredo
v4based
wordy
Fraction of IP
v6 addresses
privacy
Results for 2007−04
0.001
0.01
0.1
1
global
AP
NIC
AR
IN
AfriN
IC
LAC
NIC
RIP
E
6bone
6to4
ULA
doc
link−lo
ISA
TA
P
autocon
autofff
autothe
19
Results:IEDR2007-4
low
random
teredo
v4based
wordy
Fraction of IP
v6 addresses
privacy
Results for 2007−05
0.001
0.01
0.1
1
global
AP
NIC
AR
IN
AfriN
IC
LAC
NIC
RIP
E
6bone
6to4
ULA
doc
link−lo
ISA
TA
P
autocon
autofff
autothe
20
Results:HEAnet2007-5
low
random
teredo
v4based
wordy
Fraction of IP
v6 addresses
privacy
Results for 2007−05
0.001
0.01
0.1
1
global
AP
NIC
AR
IN
AfriN
IC
LAC
NIC
RIP
E
6bone
6to4
ULA
doc
link−lo
ISA
TA
P
autocon
autofff
autothe
21
Conclusions
• Working techniques address analysis.
• We can get more from IPv6 host ID.
• We see differences across groups.
• We see trends across time.
• We see consistence accords measurement points.
22
Future Work
• Subnet allocation within /48.
• Using co-located hosts to improve results.
• Autoconf tracking and vendor analysis.
• Anonymisation question?
• Useful for service adaption?
• Explicit validation (privacy overestimate).
23
