journal_club_hs_2014
Download
Report
Transcript journal_club_hs_2014
Zürich, ZH, November 18, 2014
chkroute – A tool for
route compliance analyisis
Daniel Dönni1
1 Department of Informatics IFI, Communication Systems Group CSG,
University of Zürich UZH
[email protected]
© 2014 UZH, CSG@IFI
Introduction
The Snowden affair revealed that a significant amount
of Internet traffic was being intercepted by intelligence
agencies
One possible countermeasure suggested by European
politicians was to introduce ‘Schengen Routing’.
‘Schengen Routing’ refers to the idea of ensuring that
traffic exchanged between two hosts located in the
Schengen zone does not leave the zone.
© 2014 UZH, CSG@IFI
Introduction II
Research trying to quantify the amount of traffic that
leaves the Schengen area is limited.
According to [1], the number of routes amounts to 0% 35%.
A tool which allows the end-user to verify whether a
route leaves the Schengen zone does not exist yet.
chkroute is the first tool specifically designed for
Schengen routing compliance checking.
© 2014 UZH, CSG@IFI
Related Work
The only work which specifically addresses Schengen
routing is [1]. It suggests that
– 0% (Iceland) - 35% (Belgium) of routes headed for Schengen
leave the zone.
– Switzerland ranks 3rd (23%) among all Schengen countries.
– The work is based on BGP tables and Maxmind data [5]
Relevant topics with respect to Schengen routing are
– Network topology discovery
– Geolocation of IP addresses
© 2014 UZH, CSG@IFI
Related Work II (Topology Discovery)
Network topology discovery
– Layer 2: Physical Connectivity, e.g. Ethernet [2], [4]
– Layer 3: Can be subdivided into 4 areas [3]
• 1. IP Interface Level
• 2. Router Level (after alias resolution)
• 3. PoP Level (Groups PoPs)
• 4. AS Level (Groups ASs)
– Layer 3+: Overlay networks, e.g. P2P [3]
Broad range of research available
– Practical: Development of tools
– Theoretical: Mathematical models
© 2014 UZH, CSG@IFI
Related Work II (Geolocation)
Geolocation
– Mechanisms that try to find the geographic location of an IP
address.
– There are two main approaches [6]
• Active: Latency driven
• Passive: Database driven
– A major problem: Accuracy of the data
• Less than 20% are within 10km of actual position [6]
• 80% deviate between 100km – 1000km [6]
• Substantial improvements using the location of University campus
locations (Median deviation: 690m) [7]
© 2014 UZH, CSG@IFI
chkroute Demo
chkroute is a tool developed to verify routing
compliance
Brace for demo…
© 2014 UZH, CSG@IFI
chkroute Architecture
© 2014 UZH, CSG@IFI
chkroute Process I
1
1. Running traceroute towards target server
© 2014 UZH, CSG@IFI
chkroute Process II
2
2. Running query against compliance DB
© 2014 UZH, CSG@IFI
chkroute Process III
3
3. Evaluating result
© 2014 UZH, CSG@IFI
Selected Issues
Definition of the location of Schengen
– Possibility 1
• “An IP address is considered to be in Schengen, if the host owning
the respective NIC is geographically located in Schengen.“
• Problem: What if packets are forwarded by a backbone provider which
has PoPs in Schengen but is operated outside Schengen?
– Possibility 2
• “An IP address is considered to be in Schengen, if the host owning
the respective NIC is owned by a company headquartered in
Schengen.
• Problem: Is there reliable corporate information available?
• Problem 2: What if a large backbone provider has a subsidiary in
Schengen. Should it count as a Schengen company?
© 2014 UZH, CSG@IFI
Questions
Questions?
© 2014 UZH, CSG@IFI
References
[1] N. Pohlmann, Secure Communication and Digital Sovereignty in Europe, ISSE 2014
Securing Electronic Business Processes, 2014
[3] B. Donnet et al., “Internet Topology Discovery: A Survey”, IEEE Communications
Surveys & Tutorials, 4th Quarter 2007
[4] Y. Breitbart et al., “Topology Discovery in Heterogeneous IP Networks,” Proc. IEEE
INFOCOM, Mar. 2000
[5] Maxmind, http://www.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP,
dat.gz. Last access: 9.11.2014.
[6] I. Poese, IP Geolocation Databases: Unreliable?, ACM SIGCOMM Computer
Communication Review, Volume 41, Number 2, April 2011
[7] Y. Wang, Towards Street-Level Client-Independent IP Geolocation, Usenix, 2011
© 2014 UZH, CSG@IFI