1 / 26

Covert Channel for One-Way Delay Measurements

Covert Channel for One-Way Delay Measurements. Mario Cola Giorgio De Lucia Daria Mazza Maurizio Patrignani Massimo Rimondini. 18th International Conference on Computer Communications and Networks (ICCCN) August 4th, 2009. CE . PE . PE . CE . CE . CE . PE . PE . PE . CE .

noe
Download Presentation

Covert Channel for One-Way Delay Measurements

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Covert Channel for One-Way Delay Measurements Mario Cola Giorgio De Lucia Daria Mazza Maurizio Patrignani Massimo Rimondini 18th International Conference on Computer Communications and Networks (ICCCN) August 4th, 2009

  2. CE PE PE CE CE CE PE PE PE CE customer site 2 Scenario customer site 3 customer site 1 ISP (MPLS backbone) customer customer site 4 customer site 5 ICCCN 2009

  3. State of the Art • Control packets • sync, negotiation, aggregate results • Probe packets Cisco IP-SLA, Juniper RPM, H3C HWPing Ipanema patent, Distributed infrastr. [Arlos05] C API [Harfoush02] IPMP [Luckie02] Pathload [Jain02] NLANR AMP, CAIDA Archipelago, OWAMP CAIDA reports & traces (CoralReef), Sprint IPMON Lossy Difference Aggregation [Kompella09] ICCCN 2009

  4. Our Contributions • A measurement architecture • passive • nonintrusive • no sampling • unaffected by lost orout-of-sequence packets • A formal establishmentof measurement accuracy • Experimental evalution ICCCN 2009

  5. Covert Channel • We exploit unused bits of the IP header info Embedding covert channels into TCP/IP [Rowland97,Murdoch05] data data to measure the OWD ICCCN 2009

  6. CE CE PE PE CE CE PE PE PE CE customer site 2 customer site 3 customer site 1 ISP (MPLS backbone) customer site 4 customer site 5 ICCCN 2009

  7. CE PE PE PE PE CE CE CE PE CE customer site 2 Architecture customer site 3 MA customer site 1 MA ISP (MPLS backbone) MA MA MA customer site 4 customer site 5 ICCCN 2009

  8. CE Measurement Agents • Upstream component MA receive packet store & forward MA ...a different site of... directed to same customer? encode timestamp YES NO forward packet ICCCN 2009

  9. Measurement Agents • Downstream component MA receive packet cut through ...a different site of... coming from same customer? decode timestamp YES NO compute aggregates forward packet ICCCN 2009

  10. Measurement Agents • QoS between different customers X, Y connected to the same backbone MA directed to same customer? directed to customer X? coming from same customer? coming from customer Y?

  11. Digging the Covert Channel • Usable bits • not used by ES for critical functions • not altered by IS • If customers rule out fragmentation... • identification (16 bits) • don’t fragment (1 bit) • IP* • Sec:  ESP, AH • v6:  (ok with MPLS) • reserved (1 bit) • fragment offset (13 bits) • ttl(some of 8 bits) • type of service(8 bits) ICCCN 2009

  12. Measurement Errors • Minimize (or, at least, watch) error on: • Measurement • Margin of error • Confidence level actual one-way delay computed one-way delay ICCCN 2009

  13. 2 ad Measurement Errors:Quantization Error • (Max) sync offset • Measure scale 1 0 0 0 quantization error upstream component downstream component ICCCN 2009

  14. Measurement Errors:Saturation Error • Available bits • Timestamps representedmodulo bits 0 0 0 0 0 1 1 1 1 1 error=k error=0 0 0 0 0 0 error=2k ICCCN 2009 A1 A1 • A2 A2 A3 • A3 0 0

  15. Measurement Errors:Overall Error • e1 and e2 are statistically independent • A1 • A2 • A3 • A1 0 ICCCN 2009

  16. Measurement Setup (1) • MAs synchronized with precision • User specifies , , and , requesting that • , • Configure MAs with , , and source & destination addresses while guaranteeing that Theorem. Let be such that and is minimized. Then, for we have . ICCCN 2009

  17. Measurement Setup (1):Example • In human words:user requiresand estimates that 99.9% of the packets have delay less than 1000ms ICCCN 2009

  18. Measurement Setup (2) • Alternative scenario: • User provides and and has a constraint on • Alternative scenario: • User provides , , and • Requirements are satisfied if ICCCN 2009

  19. Experimental Setup GE Traffic generator & analyzer MA1(upstream component) tg_ge0 ma1_ge0 Network impairment GE ni_ge0 ma1_ge1 Spirent SmartBits SMB600B Fujitsu Siemens Primergy RX300 Dual Quad-Core Intel Xeon 5000, 8GB RAM 2 dual-port GE NICs MA2(downstream component) ni_ge1 ma2_ge0 GE ma2_ge1 Netem tg_ge1 GE ICCCN 2009

  20. Experiment 1:Validation • 14,000 packets of 896 bytes each • bandwidth utilization: 70% • variable delays(uniform distribution)and • guarantee on the delaydeduced by the networkimpairment configuration input ICCCN 2009

  21. Experiment 1:Validation P=0.001 transmission delay of the downstream component limited by transmission delay of the downstream component

  22. Experiment 2:Performance owd computed @ downstream component Delay: 6010ms Meas. time span: 20s nic queue saturation

  23. Experiment 2:Performance Bandwidth: 90% ICCCN 2009

  24. CE Experiment 3:Latency • No network impairment • Delays collected by SMB switching overhead MA

  25. Experiment 4:Throughput • No network impairment • 100% bandwidth utilization • Varying packet size (untilfirst dropped) • With disabled MAs: • With enabled MAs: • 5.24% reduction 265,957 pkts/s • 450 bytes long 252,016 pkts/s 476 bytes long ICCCN 2009

  26. Conclusions and Future Work • Take away • IP covert channel for OWD measurements is feasible • Formal analysis of measurement errors • What next • Different techniques to exploit the covert channel • Different kinds of measurements ICCCN 2009

More Related