UNIVERSITÀ DEGLI STUDI ROMA TRE Dipartimento di Informatica e Automazione Covert Channel for One-Way Delay Measurements Mario Cola Giorgio De Lucia Daria Mazza Maurizio Patrignani Massimo Rimondini 8th International Conference on Computer Communications and Networks (ICCCN) August 4th, 2009
Covert Channel for One-Way Delay Measurements. Mario Cola Giorgio De Lucia Daria Mazza Maurizio Patrignani Massimo Rimondini. 18th International Conference on Computer Communications and Networks (ICCCN) August 4th, 2009. CE . PE . PE . CE . CE . CE . PE . PE . PE . CE . - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
UNIVERSITÀ DEGLI STUDI ROMA TREDipartimento di Informatica e Automazione
Covert Channel for One-Way Delay Measurements
Mario ColaGiorgio De Lucia
Daria MazzaMaurizio Patrignani
Massimo Rimondini18th International Conference on Computer Communications and Networks (ICCCN)
August 4th, 2009
2ICCCN 2009
customer site 5
customer site 1
customer site 2 customer
site 3
customer site 4
customer
Scenario
ISP(MPLS backbone)
3ICCCN 2009
Lossy Difference Aggregation [Kompella09]
CAIDA reports & traces (CoralReef),Sprint IPMON
Ipanema patent,Distributed infrastr. [Arlos05]
Active Passive
State of the Art
1-way measuresIntrusiveProbesAccuracy
Measurement System
Cisco IP-SLA,Juniper RPM,H3C HWPing
NLANR AMP,CAIDA Archipelago,OWAMP
C API [Harfoush02]IPMP [Luckie02]Pathload [Jain02]
• Control packets• sync, negotiation, aggregate results
• Probe packets
Traffic samplingOut-of-band ch.
Ideal
4ICCCN 2009
A measurement architecturepassivenonintrusiveno samplingunaffected by lost orout-of-sequence packets
A formal establishmentof measurement accuracyExperimental evalution
Our Contributions
5ICCCN 2009
We exploit unused bits of the IP header
Covert Channel
infoEmbedding covert channels
into TCP/IP [Rowland97,Murdoch05]
to measure the OWD
6ICCCN 2009
customer site 5
customer site 1
customer site 2 customer
site 3
customer site 4
ISP(MPLS backbone)
7ICCCN 2009
customer site 5
customer site 1
customer site 2 customer
site 3
customer site 4
Architecture
ISP(MPLS backbone)MA
MA
MAMA
MA
8ICCCN 2009
Upstream component
Measurement Agents
MAreceive packet
directed to same
customer?
forward packet
...a different site of...
encode timestamp
YES
NO
store & forward
9ICCCN 2009
Downstream component
Measurement Agents
MAreceive packet
coming from same customer?
forward packet
...a different site of...
decode timestamp
YES
NO
cut through
compute aggregates
10
QoS between different customers X, Y connected to the same backbone
Measurement Agents
MA
coming from same customer?
directed to same
customer?
coming from
customer Y?
directed to customer
X?
11ICCCN 2009
Usable bitsnot used by ES for critical functionsnot altered by IS
If customers rule out fragmentation...
identification (16 bits)don’t fragment (1 bit)
IP*Sec: ESP, AHv6:
Digging the Covert Channel
( ok with MPLS)
reserved (1 bit)fragment offset (13 bits)ttl(some of 8 bits)type of service(8 bits)