An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis M. Elich, P. Velan, T. Jirsík, P. Čeleda {elich|jirsik|celeda}@mail.muni.cz, petr.velan@cesnet.cz The 7th IEEE Workshop on Network Measurements, Sydney, October 21-24, 2013
Part I Introduction Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 2 / 21
Motivation and R&D Goals What are the characteristics of IPv6 transition mechanisms? What traffic is tranported using IPv6 transition mechanisms? What is the impact on native IPv4 and IPv6? Goals Improve existing framework accuracy/data gathering Analyze collected flow data to find the answers Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 3 / 21
IPv6 Tunnels Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 4 / 21
Part II Monitoring Setup Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 5 / 21
Monitoring Setup IPFIX Top-N stats FlowMon Exporter IPFIXCol Aggregation Filtering Packets Raw data IPv6 Tunnel Plugin Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 6 / 21
Packet Processing IPv6 IPv4 IPv6 payload header header ENVELOPE INNER IPv6 TRAFFIC SRC IPv6 Address SRC IPv4 Address DST IPv6 Address DST IPv4 Address + Geolocation L4 Protocol L4 Protocol + T unnel T ype HOP Limit TTL + ... UDP SRC Port L4 SRC Port UDP DST Port L4 DST Port + Geolocation T eredo Headers T eredo Trailers + ... IPv6 IPv4 UDP OPTIONAL IPv6 OPTIONAL TEREDO TEREDO payload header header header HEADERS TRAILERS Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 7 / 21
Part III Traffic Analysis Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 8 / 21
Monitored Links Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 9 / 21
Dataset IPFIX Flow Data Collected over 7 days in January 2013 No sampling Size of 2.45 TB ∼ 34 billion flows Per Flow Information Regular flow information Encapsulated flow information (as IPFIX Enterprise elements) Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 10 / 21
Analysis We analysed following characteristics Location of IPv4, IPv6 and tunnel endpoints CCDF of flow duration, packets per flow, packet size TTL distribution of IPv4 and IPv4 tunnel traffic HOP distribution of IPv6 and encapsulated IPv6 traffic 6to4 and Teredo frequency Port number frequency Teredo Servers Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 11 / 21
CCDF – Highlights Generally Most flows are shorter then 10 seconds Tunneled Traffic Fewer short duration flows than IPv4 or IPv6 traffic Encapsulated Traffic Smaller number of packets larger than 400B 1.0 TCP/UDP encapsulated traffic All encapsulated traffic 0.8 Native IPv6 traffic P[X>x] 0.6 IPv4 traffic 0.4 0.2 0.0 128 256 512 1024 1500 Bytes per packet Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 12 / 21
TTL distribution All IPv4 Traffic Tunnel Traffic 15 Linux Windows 10 5 Flows (%) 0 5 10 15 24 26 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 243 245 246 247 248 249 250 251 252 253 254 TTL Value Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 13 / 21
TTL distribution IPv4 traffic containing IPv6 payload Windows traffic is taking 60.3 % of the total traffic Linux machines is taking 23.8 % 6to4 traffic from anycast addresses (TTL 255) is taking 3.8 % TTL 1 – 32 makes 12.2 % IPv4 Traffic Larger portion of Linux traffic TTL values of 32 and 255 are not as significant Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 14 / 21
HOP distribution 30 o P d D e N 20 r e e l 6 T b b v u P b I 10 Flows (%) 0 10 s w 20 o d n i W + x 30 u n i L IPv6 Tunnel Traffic 40 Native IPv6 Traffic 1 12 15 17 20 21 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 115 118 119 120 121 122 123 127 128 247 248 249 250 251 252 254 255 HOP Value Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 15 / 21
HOP distribution Native and Tunneled IPv6 Traffic HOP limit of 51 – 64 is most frequent. Tunneled traffic Values are distributed with much less entropy Limits 21, 64, 128 and 255 are the most frequent Value 21 is used for Teredo bubbles by Windows Value 255 is used for IPv6 neighbor discovery messages Traffic never traversed the IPv6 network ⇒ HOP limit untouched Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 16 / 21
Location of Tunnel Endpoints 25 Source Teredo 20 Flows (%) Source 6to4 15 10 5 0 A A S E - R R N A S S R E R P S R A N A S S U W S O A R U U O W B S U K R U R U U R I C B R A G E A U B F K N H S S 25 Destination Teredo 20 Flows (%) Destination 6to4 15 10 5 0 A S S A A E S R R N N R U A E N R R N D S U U S R W U K B I A S T R W V K O U N F U R R U B A U G C I L B S U H I S S N Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 17 / 21
Historical Comparison Historical Traffic We measured tunneled IPv6 traffic in 2010 CESNET links to SANET, PIONIER and NIX Comparison 2010 2013 flows bytes flows bytes Tunneled IPv6 1.5 % 0.66 % 1.5 % 1.28 % Native IPv6 0.1 % 0.21 % 3.4 % 4.42 % HTTP(s), DNS 1.0 % - 5.5 % - % Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 18 / 21
Part IV Conclusion Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 19 / 21
Conclusion Summary Tool for investigating IPv6 tunneled traffic Teredo and 6to4 traffic behavior Understanding of encapsulated IPv6 traffic Future Work Security analysis of tunneled IPv6 traffic Detection methods development Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 20 / 21
Thank You For Your Attention! An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis P. Velan petr.velan@cesnet.cz M. Elich, T. Jirsík, P. Čeleda {elich|jirsik|celeda}@mail.muni.cz IPv6 Tunnel Monitoring Plugin http://www.muni.cz/ics/920232/web/ipv6-tunnel-plugin Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 21 / 21
Recommend
More recommend