University of Nevada, Reno Router-level Internet Topology Mapping CS790 Presentation Modified from Dr. Gunes slides by Talha OZ

Outline Introduction Internet Topology Measurement – Topology Discovery Issues – Impact of IP Alias Resolution Topology Discovery – Resolving Anonymous Routers Graph-based Induction Technique – Resolving Alias IP Addresses Analytical and Probe-based Alias Resolution – Resolving Genuine Subnets Dynamic Subnet Inference Summary Internet Topology Discovery 2

Internet Web of interconnected networks – Grows with no central authority – Autonomous Systems optimize local communication efficiency – The building blocks are engineered and studied in depth – Global entity has not been characterized Most real world complex-networks have non-trivial properties. Global properties can not be inferred from local ones – Engineered with large technical diversity – Range from local campuses to transcontinental backbone providers 3

Internet Measurements Understand topological and functional characteristics of the Internet – Essential to design, implement, protect, and operate underlying network technologies, protocols, services, and applications Need for Internet measurements arises due to commercial, social, and technical issues – Realistic simulation environment for developed products, – Improve network management – Robustness with respect to failures/attacks – Comprehend spreading of worms/viruses – Know social trends in Internet use – Scientific discovery Scale-free (power-law), Small-world, Rich-club, Dissasortativity,… Internet Topology Discovery 4

Internet Topology Measurement Types of Internet topology maps – Autonomous System (AS) level maps – Router level maps A router level Internet map consists of – Nodes: End-hosts and routers – Links: Point-to-point or multi-access links Router level Internet topology discovery – A process of identifying nodes and links among them Internet Topology Discovery 5 Lumenta Jan 06CAIDA Jan 08CAIDA Jan 00

6 Current Schema

Internet Topology Measurement Background Internet topology measurement studies Involves topology collection / construction / analysis Current state of the research activities Distributed topology data collection studies/platforms – iPlane, Skitter, Dimes, DipZoom, … – 20M path traces with over 20M nodes (daily) Topology discovery issues 1.Sampling 2.Anonymous routers 3.Alias IP addresses 4.Genuine subnets Internet Topology Discovery 7

Internet Topology Measurements Probing Direct probing Indirect probing Internet Topology Discovery 8 A DBC IP B TTL=64 IP B IP D TTL=64 IP D Vantage Point A DBC IP B IP D TTL=2IP D TTL=1 IP C

Internet Topology Measurement Topology Collection (traceroute) Probe packets are carefully constructed to elicit intended response from a probe destination traceroute probes all nodes on a path towards a given destination – TTL-scoped probes obtain ICMP error messages from routers on the path – ICMP messages includes the IP address of intermediate routers as its source Merging end-to-end path traces yields the network map Internet Topology Discovery 9 S DABC Destination TTL=1 IP A TTL=2 IP B TTL=3 IP C TTL=4 IP D Vantage Point

Internet Topology Measurement: Background Internet Topology Mapping 10 S L U H C N W A s.2 l.1 s.3 u.1 l.3 u.3 h.1 k.3 h.2 h.3 a.3 u.2 k.1 c.4 a.1 a.2 w.3 c.3 w.1 c.2 n.1 n.3 w.2 l.2 K c.1 k.2 d h.4 Trace to Seattle h.4 l.3 s.2 Trace to NY h.4 a.3 w.3 n.3 Internet2 backbone

Internet Topology Measurement: Background Internet Topology Mapping 11 S L U C N A s.2 l.1 s.3 u.1 l.3 h.1 k.3 h.2 a.3 u.2 k.1 c.4 a.1 a.2 w.3 c.3 w.1 c.2 n.1 n.3 w.2 l.2 K c.1 k.2 h.3 d h.4 s.1 e f n.2 H W u.3

Internet Topology Measurement Topology Collection Internet Topology Discovery 12 Internet2 backbone Traces d - H - L - S - e d - H - A - W - N - f e - S - L - H - d e - S - U - K - C - N - f f - N - C - K- H - d f - N - C - K - U - S - e S L U K C H A W N e d f

Topology Sampling Issues Sampling to discover networks – Infer characteristics of the topology Different studies considered – Effect of sample size [Barford 01] – Sampling bias [Lakhina 03] – Path accuracy [Augustin 06] – Sampling approach [Gunes 07] – Utilized protocol [Gunes 08] ICMP echo request TCP syn UDP port unreachable Internet Topology Discovery 13

Topology Sampling Approaches Sampling techniques – Path sampling Diameter – Edge sampling Capacity – Node sampling Degree characteristics Sampling approach – (n,n) – traceroute based topology Returns the Internet map among n vantage points – (k,m) – traceroute based topology where k<<m (k=n) Returns the Internet map between k sources and m destinations Internet Topology Discovery 14 Path sampling vs Node sampling (k,m)-sampling vs (n,n)-sampling

Historical Perspective on Responsiveness Data Set ICMP path traces from skitter – 1 st collection cycle of each year (from 1999 to 2008) Skitter had updates to destination IP addresses – major update in the system in 2004 Processing – Alias IP addresses Analytical Alias Resolver (AAR) [Gunes-06] Analytical and Probe Based Alias Resolver (APAR) [Gunes-09] – Anonymous routers Graph Based Induction (GBI) [Gunes-08] Internet Topology Discovery 15

Current Practices in Responsiveness Data Set 536,743 destination IP addresses – from skitter and iPlane projects Between 7-11 April 2008 Probes – ICMP echo request – TCP SYN – UDP to random ports Direct probes – ping Indirect probes – traceroute Internet Topology Discovery 16

Current Practices in Responsiveness Direct probes Internet Topology Discovery 17 ProbeResponsive (%) ICMP81.9 TCP67.3 UDP59.9 Anonymous (%) Router (%) End-host (%) K IPs 320 K217 K

Current Practices in Responsiveness Direct probes (domain) Internet Topology Discovery 18 ProbeAnonymous (%) ICMP18.1 TCP32.7 UDP40.1.net (%).com (%).edu (%).org (%).gov (%) K IPs5 K1.7 K25.5 K10.1 K0.5 K

Current Practices in Responsiveness Indirect probes Internet Topology Discovery 19 ProbeReached (%) Nodes (thousand) Anonymous (%) ICMP93.11, TCP UDP45.01, Nodes (thousand) Anonymous (%) InitialFinal 306 K traces

Current Practices in Responsiveness Internet Topology Discovery 20 Nodes that respond to indirect probes might not respond to direct probes Nodes are most responsive to ICMP probes (%82) least responsive to UDP probes (%60) End hosts are less responsive than routers Responsiveness is similar for different domains

Anonymous Router Resolution Problem Internet Topology Discovery 21 Anonymous routers do not respond to traceroute probes and appear as a in path traces – Same router may appear as a in multiple traces. – Anonymous nodes belonging to the same router should be resolved. Anonymity Types 1. Ignore all ICMP packets 2. ICMP rate-limiting 3. Ignore ICMP when congested 4. Filter ICMP at border 5. Private IP address

Anonymous Router Resolution Problem Internet Topology Discovery 22 Internet2 backbone S L U K C H A W N e d Traces d - - L - S - e d - - A - W - - f e - S - L - - d e - S - U - - C - - f f - - C d f - - C - - U - S - e f

Anonymous Router Resolution Problem Internet Topology Discovery 23 UKCN LHAW S d e f Sampled network d e f S U L C A W Resulting network Traces d - - L - S - e d - - A - W - - f e - S - L - - d e - S - U - - C - - f f - - C d f - - C - - U - S - e

Alias Resolution Each interface of a router has an IP address. A router may respond with different IP addresses to different queries. Alias Resolution is the process of grouping the interface IP addresses of each router into a single node. Inaccuracies in alias resolution may result in a network map that – includes artificial links/nodes – misses existing links Internet Topology Discovery Denver

Internet Topology Discovery 25 IP Alias Resolution Problem S L U C N W A s.2 l.1 s.3 u.1 l.3 u.3 h.1 k.3 h.2 a.3 u.2 k.1 c.4 a.1 a.2 w.3 c.3 w.1 c.2 n.1 n.3 w.2 l.2 K c.1 k.2 h.3 d h.4 s.1 e f n.2 H Traces d - h.4 - l.3 - s.2 - e d - h.4 - a.3 - w.3 - n.3 - f e - s.1 - l.1 - h.1 - d e - s.1 - u.1 - k.1 - c.1 - n.1 - f f - n.2 - c.2 - k.2 - h.2 - d f - n.2 - c.2 - k.2 - u.2 - s.3 - e

IP Alias Resolution Problem Internet Topology Discovery 26 UKCN LHAW S d e f Sampled network Sample map without alias resolution s.3 s.1 s.2 l.3 l.1 u.1 u.2 k.1 c.1n.1 n.2 k.2 c.2 w.3 a.3 h.2 h.4 h.1 e d f n.3 Traces d - h.4 - l.3 - s.2 - e d - h.4 - a.3 - w.3 - n.3 - f e - s.1 - l.1 - h.1 - d e - s.1 - u.1 - k.1 - c.1 - n.1 - f f - n.2 - c.2 - k.2 - h.2 - d f - n.2 - c.2 - k.2 - u.2 - s.3 - e

Genuine Subnet Resolution Internet Topology Discovery 27 Alias resolution – IP addresses that belong to the same router Subnet resolution – IP addresses that are connected over the same medium IP2IP3 IP4 IP1 IP6IP5 IP2 IP3 IP1 IP2IP3 IP1

Outline Internet Topology Discovery 28 Introduction Internet Topology Measurement – Topology Discovery Issues – Impact of IP Alias Resolution Topology Discovery – Resolving Anonymous Routers (Hakans work !) Graph-based Induction Technique – Resolving Alias IP Addresses Analytical and Probe-based Alias Resolution – Resolving Genuine Subnets Dynamic Subnet Inference Summary

Summary - Anonymous Router Resolution Internet Topology Discovery 29 DA C E GBI DA C E Underlying DA C E Collected DA C E Neighbor Matching Responsiveness reduced in the last decade NP-hard problem Graph Based Induction Technique Practical approach for anonymous router resolution Takes ~6 hours to process data sets of ~20M path traces Identifies common structures Handles all anonymity types Helpful in resolving multiple anonymous routers in a locality

Outline Internet Topology Discovery 30 Introduction Internet Topology Measurement – Topology Discovery Issues – Impact of IP Alias Resolution Topology Discovery – Resolving Anonymous Routers Graph-based Induction Technique – Resolving Alias IP Addresses Analytical and Probe-based Alias Resolution – Resolving Genuine Subnets Dynamic Subnet Inference Summary

IP Alias Resolution Problem A set of collected traces – w, …,b1, a1, c1, …, x – z, …,d1, a2, e1, …, y – x, …,c2, a3, b2, …, w – y, …,e2, a4, d2, …, z Internet Topology Discovery 31 a c d b e a sub-graph a1 c1 b2 b1 c2 with no alias resolution w zy x xw a3 a2 e1 d2 d1 e2 yz a4 Sample map from the collected path traces A router may appear with different IP addresses in different path traces Need to resolve IP addresses belonging to the same router

IP Alias Resolution Problem Internet Topology Discovery 32 a c1 b2 b1 c2 partial alias resolution (only router a is resolved) x w e1 d2d1 e2 y z partial alias resolution (only router a is not resolved) a2 c d b e w zy x a3 a4 a1 a c d b e sub-graph w zy x

IP Alias Resolution: Previous Approaches Source IP Address Based Method [Pansiot 98] – Relies on a particular implementation of ICMP error generation. IP Identification Based Method (ally) [Spring 03] – Relies on a particular implementation of IP identifier field, – Many routers ignore direct probes. DNS Based Method [Spring 04] – Relies on similarities in the host name structures sl-bb21-lon-14-0.sprintlink.net sl-bb21-lon-8-0.sprintlink.net – Works when a systematic naming is used. Record Route Based Method [Sherwood 06] – Depends on router support to IP route record processing Internet Topology Discovery 33 Dest = A B Dest = B A, ID=100 Dest = B B, ID=99 B, ID=103 A B A B

Analytical Alias Resolution Approach Leverage IP address assignment convention to infer IP aliases – Identify symmetric path segments within the collected set of path traces – Infer IP aliases – Use a number of checks to Remove false positives Increase confidence in the identified IP aliases Internet Topology Discovery 34

IP address Assignment Practices Point-to-point Links For a point-to-point link – use either /30 subnet or /31 subnet The interface IP addresses on the link are consecutive and are within /30 subnet or /31 subnet – use to represent subnet relation between two IP addresses Use subnet relation () to infer IP aliases Internet Topology Discovery 35 AB / /31 /30 network /31 network

IP address Assignment Practices Multi-access Links A similar relation between IP addresses belonging to the same multi-access link holds Example: Consider two IP addresses A: and B: – A and B are not together in a /30 or a /31 subnet – However, they are together in /29 subnet /29 A: B: Internet Topology Discovery 36 AB /29 subnet

Analytical Alias Resolution Sample traceroute pairs Internet Topology Discovery 37 MIT UTD no response no response Aliases …

APAR Analytical and Probe-based Alias Resolution There is possibility of – incorrect subnet assumption, Two /30 subnets assumed as a /29, – incorrect alignment of path traces. IP 4 and IP 8 are thought of as aliases. To prevent false positives, some conditions are defined – Trace preservation, – Distance preservation (probing component of APAR), – Completeness, – Common neighbor. Internet Topology Discovery 38 a sample network a cd b ef IP 1 IP 2 IP 9 IP 3 IP 4 IP 8 IP 7

Analytical Alias Resolution Main Idea Use traceroute collected path traces only – No probing is required at this point Study the relations between IP addresses in different traces – Infer subnets: Use the IP address assignment convention to infer Point-to-point (/30 or /31) subnets, or Multi-access (/x where x<30) subnets from the path traces – Infer IP aliases: Align path segments to infer IP aliases from the detected subnets Internet Topology Discovery 39

Analytical Alias Resolution: Potential Issues Problems with inferring subnets accurately – False positive: two separate subnets with consecutive /30 subnet numbers may be inferred as one /29 subnet – False negative: a /29 subnet may be inferred as two separate /30 subnets Problems with inferring IP aliases accurately – False positives and false negatives possible due to incorrectly formed subnets – Both false positives and false negatives introduce inaccuracies to the resulting topology map Internet Topology Discovery 40

Analytical Alias Resolution Potential Solutions How to verify the accuracy of formed subnets – Accuracy condition: Two or more IP addresses from the same subnet cannot appear in a loop- free trace (unless they are consecutive) Check if a newly formed subnet violates this condition for any pair of available IP addresses from this subnet in any other path trace – Completeness condition: To infer a /x subnet among a set of IP addresses that belong the address range, require that some fraction (e.g., 50%) of these addresses appear in our data set Needed to increase our confidence on the inferred subnet – Processing order: Start with subnets with higher completeness ratio Internet Topology Discovery 41

Analytical Alias Resolution Potential Solutions How to verify the accuracy of inferred IP aliases – No loop condition: No inferred IP aliases should introduce any routing loops in any of the path traces Example: Consider two traces (…, a, b, c, d, …) (…, e, f, g, h, b, i, …)(reverse trace) Assume a subnet relation (g c) Inferred alias pair: (b,g) CAUSES LOOP! Internet Topology Discovery 42

Analytical Alias Resolution Potential Solutions How to verify the accuracy of inferred IP aliases – Common neighbor condition: Given two IP addresses s and t that are candidate aliases belonging to a router R, one of the following cases should hold: 1.s and t have a common neighbor in some path trace 2.There exists an alias pair (b,o) such that – b is a successor (or predecessor) of s – o is a predecessor (or successor) of t 3.involved traces are aligned such that they form two subnets, one at each side of router R – Distance condition: Given two IP addresses s and t that are candidate aliases for a router R, s and t should be at similar distance to a vantage point Adds an active probing component to the solution Internet Topology Discovery 43

Evaluations Coverage Comparisons AMP: ally (1,884 pairs) and APAR (2,034 pairs) iPlane: ally (39,191 pairs) and APAR (50,206 pairs) Internet Topology Discovery 44 1,003 Causing LoopAlly APARAlly disagree AllyAPAR Ally disagree Causing loop Source IP based 11,070 2,514 8,206 3,058 6,179 iPlane10,67822,886 ? Complete ally requires (275K) 2 probes

Summary Analytical and Probe-base Alias Resolution IP alias resolution task has a considerable effect on most of the analyzed topological characteristics – In general, false negatives have more impact than false positives. APAR – benefits from IP address assignment of links, – focuses on structural connections between routers, – more effective on data sets that include symmetric path segments collected from large number of vantage points – requires no/minimal probing overhead. complements probe-based approaches Internet Topology Discovery 45

Outline Introduction Internet Topology Measurement – Topology Discovery Issues – Impact of IP Alias Resolution Topology Discovery – Resolving Anonymous Routers Graph-based Induction Technique – Resolving Alias IP Addresses Analytical and Probe-based Alias Resolution – Resolving Genuine Subnets Dynamic Subnet Inference Summary Internet Topology Discovery 46

Genuine Subnet Resolution Problem Subnet resolution – Identify IP addresses that are connected over the same medium Improve the quality of resulting topology map Internet Topology Discovery 47 IP2 IP3 IP1 IP2IP3 IP1 (observed topology)(inferred topology)(underlying topology) CD AB CD AB CD AB CD AB

Subnet Resolution: Advantages Improve the quality of resulting topology map vs Increase the scope of the map Internet Topology Discovery 48 (observed topology)(inferred topology)(genuine topology) CD AB CD AB CD AB CD AB CD AB CD AB

Subnet Resolution: Advantages Improve alias resolution process – Reduce the number of probes in ally based alias resolution ally tool requires O(n 2 ) probes to resolve aliases among n IP addresses. – We could determine ally probes based on subnets This approach reduces the number of probes to O(n.s) where s is the average of number of IP addresses in a subnet. Internet Topology Discovery 49 Trace: IP a ……...IP b ……... IP c ……... IP d IP e IP f IP g IP h IP i IP k IP l subnets

Subnet Resolution: Approach 50 Importance of IP Alias Resolution /16 /30 /31 /24 /28 / / / / / / / / /31

Genuine Subnet Resolution Trace Preservation Internet Topology Discovery / / /21 /30 /31 /24 /28 / / / / / / / / / / / /22

Genuine Subnet Resolution Distance Preservation Internet Topology Discovery V.P. /30 /31 /24 /28 / / / / / / / / / / / / / /31

Genuine Subnet Resolution Dynamic Subnet Inference Approach Inferring Subnets – Cluster IP addresses into maximal subnets up to a given size (e.g. /24) – Perform accuracy and distance analysis on candidate subnets and break them down as necessary. IP1 IP2 IP3 IP4 IP5 IP6 IP7 IP8 IP9 – Completeness: Ignore candidate subnets that have less than one quarter of their IP addresses present. Internet Topology Discovery 53 /25 /29 /26 /30 /31 /27 A /27 subnet can have up to 2 5 IP addresses. /24

Internet2 backbone topology on Apr 29, 2007 Inferred 116 verifiable subnets 95 exact size 12 smaller (observed IPs formed a smaller subnet) 9 bigger (false positives) Evaluations Internet2 backbone verification Internet Topology Discovery subnets 547 routers 793 IPs R1 H1 1 R4 9 R2 R3 2 6 R /29 R10 2 R /28 R2 6 R6 1 R1 /29

Summary Genuine Subnet Resolution Identified a new step (i.e., subnet inference) to improve topology mapping studies. Introduced a technique to infer subnets and demonstrated its effectiveness – Detect connectivity between nodes An inferred /24 subnet had only a single link between two of its 73 observed IP addresses. – Using subnets, we may reduce the number of ally probes for alias IP resolution e.g. 362K to 35.5K. Internet Topology Discovery 55

Outline Introduction Internet Topology Measurement – Topology Discovery Issues – Impact of IP Alias Resolution Topology Discovery – Resolving Anonymous Routers Graph-based Induction Technique – Resolving Alias IP Addresses Analytical and Probe-based Alias Resolution – Resolving Genuine Subnets Dynamic Subnet Inference Summary Internet Topology Discovery 56

Summary The Internet is man-made, so why do we need to measure it? – Because we still dont really understand it Sometimes things go wrong – Measurement for network operations Detecting and diagnosing problems What-if analysis of future changes – Measurement for scientific discovery Creating accurate models that represent reality Identifying new features and phenomena Researchers have been sampling and analyzing Internet topology – Building network graph from raw-data is not easy. – There are several issues due to sampling Resolving anonymous routers, IP aliases, and genuine subnets – Huge computational and probing overhead due to very large data size Internet Topology Discovery 57

Questions ? Internet Topology Discovery 58