Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress. Abstract It is often useful to learn the path that packets take through the Internet, especially when dealing with certain denial-of-service attacks. Bellovin [Page 1] Internet Draft draft-bellovin-itrace
|Published (Last):||16 September 2011|
|PDF File Size:||12.37 Mb|
|ePub File Size:||2.42 Mb|
|Price:||Free* [*Free Regsitration Required]|
Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time.
It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress. Abstract It is often useful to learn the path that packets take through the Internet, especially when dealing with certain denial-of-service attacks. We propose a new ICMP message, emitted randomly by routers along the path and sent randomly to the destination to provide useful information to the attacked party or to the origin to provide information to decipher reflector attacks.
Message Definition Related Work Security Considerations IANA Considerations Author Information Introduction It is often useful to learn the path that packets take through the Internet. This is especially important for dealing with certain denial-of-service attacks, where the source IP is forged.
There are other uses as well, including path characterization and detection of asymmetric routes. There are existing tools, such as traceroute, but these generally provide the forward path, not the reverse. When forwarding packets, routers can, with a low probability, generate a Traceback message that is sent along to the destination or back to the source.
With enough Traceback messages from enough routers along the path, the traffic source and path of forged packets can be determined. Some elements will contain other elements as described below. Field: a component of the proposed message which is identified through its relative position within the header or within a particular element.
Generator: the router which itself generates the ICMP Traceback message or on behalf of which this message is generated by some other entity. Link: a logical connection between the Generator and another entity, along which the traced packet has passed.
Peer: the entity at the other end of the link, which either sent the traced packet to the Generator or received it from the Generator. Message Definition 2. The fields within each element are similarly concatenated without intervening padding. The diagrams presenting the individual elements therefore show the length and relative order of the fields making them up, but do NOT indicate alignment on any specific boundary.
Each field beyond the initial type code and length is shown beginning on a separate line, although in fact fields are contiguous in the actual message. The numeric values for this field will be assigned by IANA. Top-level elements may appear in any order, and a receiver MUST be capable of processing them in any order.
Elements contained within the VALUE field of a parent element may also appear in any order within that field and present a similar requirement to the receiver. Elements are placed consecutively within the message body without intervening padding; hence elements in general are not aligned to word boundaries.
A Link element specifies a link along which the traced packet travelled to or from the Generator. They are further designed for examination by network operations personnel, and thus contain human-useful information such as interface names. This is encoded in an Interface Name element. The association string is an opaque blob which is used to tie together Traceback messages emitted by adjacent routers.
Thus all Link elements referring to the same link MUST use the same value for the association string, regardless of which entity generates them. If there are no such addresses say, for a point-to-point link , a suitable string MUST be provisioned in both routers; this is encoded in an Operator- Defined Link Identifier element.
The fields of the Address Pair elements are always arranged in "forward order" from the point of view of the traced packet. That is, the "destination" field is always the address of the entity closer to the ultimate recipient of the traceback packet. Element lengths shown include the type and length fields. Elements may appear in a different order from that shown.
Its structure is the same as that of the Back Link element. The length is variable. As noted above, the addresses MUST always be presented in the order of their traversal by the traced packet. Further definition will emerge in a later document. The timestamp MUST be consistent with i. It appears as an unsigned integer, of one, two, or four octets. We thus need authentication techniques that are robust but quite cheap to verify.
The ideal form of authentication would be a digital signature. It is unlikely, though, that routers will be able to afford such signatures on all Traceback packets. Thus, although we leave hooks for such a variant, we do not further define it at this time. This identifies the hash algorithm used. Where header information is mutable during transport, such information is set to zero 0x00 for purposes of calculating the HMAC.
This field is as long as is appropriate for the given MAC algorithm. The disclosure need not appear if there are no keys to be disclosed according to the criteria [TBD]. The Editor suggests that the basic principle governing the number of keys that should be disclosed is that there be a reasonable probability e.
This makes the number of keys a function of the rate of generation of ITrace packets and the rate at which keys are changed. Further analysis may give more concrete results. The algorithm is assumed to be the same as that used to authenticate the current message and shown in the HMAC Authentication Data element.
The signature covers the entire Key Disclosure List element, including the Disclosure Signature element, but excluding the signature length and actual signature within that element.
This element also contains a URL, suitable for retrieving an X. The URL is present because digital signatures are useless without some way of authenticating the public key of the signer. The ideal form of authentication would be a certificate-based scheme rooted in the address registries. That is, the registries are the authoritative source of information on who owns which addresses; they are thus the only party that can easily issue such certificates. Current registry-based databases can be used to verify the owner of an address block; this information can in turn be used to locate the appropriate root key.
Procedures 3. It MUST then randomly select with equal probability to send this packet to the origin or the destination of the sampled packet. Some requirements are imposed on the IP header of the Traceback packet. If that interface has multiple addresses, the address chosen SHOULD, if possible, be the one by which this router is known to the previous hop.
If the Traceback packet follows the same path as the data packets, this provides an unambiguous indication of the distance from this router to the destination. More importantly, by comparing the distances with the link elements, a chain can be constructed and partially verified even without examining the authentication fields. If the average maximum diameter of the Internet is 20 hops, that translates to a net increase in traffic at the origina and destination of about.
This will help block attempts to time attack bursts. There does not appear to be any requirement for cryptographically strong pseudo-random numbers. A suggested scheme involves examination of the low-order bits of a linear congruential pseudo-random number generator LCPRNG. If they are all set to 1, the packet should be emitted. As long as the period of the generator is maximal, all values, including all 1s in the low-order bits, will occur with the proper probability.
Although this document describes a router-based implementation of Traceback messages, most of the functionality can be implemented via outboard devices. For example, suitable laptop computers can be used to monitor LANs, and emit the traceback messages as appropriate, on behalf of all of the routers on that LAN. Messages exceeding this rate would be silently dropped.
If such functionality is implemented, the host SHOULD provide a counter displaying how many messages have been dropped. If there are no such addresses say, for a point-to-point link , a suitable string MUST be provisioned in both routers, to be used as the Operator-Defined Link Identifier. Some further validation can be done before the HMAC keying information is disclosed. In particular, when messages appearing to relate to adjacent segments of a chain have been identified, recipients SHOULD use the TTL field differences in conjunction with the link elements to verify the chain.
The processing entity SHOULD then verify the signature on the key before applying the key itself to validation of the message. That is, in-flight packets may have their ID field changed to provide information about the path. The recipient can decode this information. No extra traffic is generated. However, there are disadvantages as well. Moreover, AH [ RFC ] provides cryptographic protection for the ID field; if it is modified, the packet will be discarded by the receiving system.
And IPv6 has no ID field at all. A number of other packet-marking schemes have been proposed. In this scheme, routers along the path are queried about whether or not they have seen a certain packet; a very compact representation is used to store recent history. The problem is that queries must be done very soon after the attack, unless the routers have some way of offloading historical data to bulk storage.
A sensor that detects an attack tells its neighbors; they in turn look for the same signature, and notify their neighbors. The current prototype only works within an administrative domain; work is currently under way to produce an inter-domain version. Security Considerations It is quite clear that this scheme cannot cope with all conceivable denial of service attacks. It is limited to those where a significant amount of traffic is coming from a relatively small number of sources.
Furthermore, those sources must themselves be in some sense evil or corrupted. An attack based on inducing innocent and uncorrupted machines to send traffic to the victim would be traceable only to these machines, and not to the real attackers. A lengthy discussion of the possibility of flooding attacks using fake ITrace packets to fill host buffers and render the tool useless took place after the previous version of this document was issued.
Internet Control Message Protocol
Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress. Abstract It is often useful to learn the path that packets take through the Internet, especially when dealing with certain denial-of-service attacks. Message Definition Related Work Security Considerations
The second approach, edge marking, requires that the two nodes that make up an edge mark the path with their IP addresses along with the distance between them. This approach would require more state information in each packet than simple node marking but would converge much faster. They suggest three ways to reduce the state information of these approaches into something more manageable. Node a inserts its IP address into the packet and sends it to b. Upon being detected at b by detecting a 0 in the distance , b XORs its address with the address of a.