An Investigation Into Teredo and 6to4 Transition Mechanisms: - - PowerPoint PPT Presentation

an investigation into teredo and 6to4 transition
SMART_READER_LITE
LIVE PREVIEW

An Investigation Into Teredo and 6to4 Transition Mechanisms: - - PowerPoint PPT Presentation

Jun 24, 2023 180 likes •399 views

An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis M. Elich, P. Velan, T. Jirsk, P. eleda {elich|jirsik|celeda}@mail.muni.cz, petr.velan@cesnet.cz The 7th IEEE Workshop on Network Measurements, Sydney, October

slide-1
SLIDE 1

An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis

  • M. Elich, P. Velan, T. Jirsík, P. Čeleda

{elich|jirsik|celeda}@mail.muni.cz, petr.velan@cesnet.cz The 7th IEEE Workshop on Network Measurements, Sydney, October 21-24, 2013

slide-2
SLIDE 2

Part I Introduction

Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 2 / 21

slide-3
SLIDE 3

Motivation and R&D Goals

What are the characteristics of IPv6 transition mechanisms? What traffic is tranported using IPv6 transition mechanisms? What is the impact on native IPv4 and IPv6? Goals Improve existing framework accuracy/data gathering Analyze collected flow data to find the answers

Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 3 / 21

slide-4
SLIDE 4

IPv6 Tunnels

Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 4 / 21

slide-5
SLIDE 5

Part II Monitoring Setup

Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 5 / 21

slide-6
SLIDE 6

Monitoring Setup

IPFIXCol Top-N stats Aggregation Filtering Raw data Packets IPFIX FlowMon Exporter IPv6 Tunnel Plugin

Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 6 / 21

slide-7
SLIDE 7

Packet Processing

IPv4 header UDP header IPv6 header IPv6 payload

OPTIONAL TEREDO HEADERS

IPv4 header IPv6 payload IPv6 header

OPTIONAL TEREDO TRAILERS

SRC IPv4 Address DST IPv4 Address L4 Protocol TTL UDP SRC Port UDP DST Port SRC IPv6 Address DST IPv6 Address L4 Protocol HOP Limit L4 SRC Port L4 DST Port T eredo Headers T eredo Trailers + Geolocation + ... + Geolocation + T unnel T ype + ... ENVELOPE INNER IPv6 TRAFFIC Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 7 / 21

slide-8
SLIDE 8

Part III Traffic Analysis

Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 8 / 21

slide-9
SLIDE 9

Monitored Links

Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 9 / 21

slide-10
SLIDE 10

Dataset

IPFIX Flow Data Collected over 7 days in January 2013 No sampling Size of 2.45 TB ∼ 34 billion flows Per Flow Information Regular flow information Encapsulated flow information (as IPFIX Enterprise elements)

Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 10 / 21

slide-11
SLIDE 11

Analysis

We analysed following characteristics Location of IPv4, IPv6 and tunnel endpoints CCDF of flow duration, packets per flow, packet size TTL distribution of IPv4 and IPv4 tunnel traffic HOP distribution of IPv6 and encapsulated IPv6 traffic 6to4 and Teredo frequency Port number frequency Teredo Servers

Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 11 / 21

slide-12
SLIDE 12

CCDF – Highlights

Generally Most flows are shorter then 10 seconds Tunneled Traffic Fewer short duration flows than IPv4 or IPv6 traffic Encapsulated Traffic Smaller number of packets larger than 400B

0.0 0.2 0.4 0.6 0.8 1.0 128 256 512 1024 1500 P[X>x] Bytes per packet TCP/UDP encapsulated traffic All encapsulated traffic Native IPv6 traffic IPv4 traffic

Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 12 / 21

slide-13
SLIDE 13

TTL distribution

15 10 5 5 10 15 24 26 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 243 245 246 247 248 249 250 251 252 253 254

Flows (%) TTL Value Linux Windows All IPv4 Traffic Tunnel Traffic

Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 13 / 21

slide-14
SLIDE 14

TTL distribution

IPv4 traffic containing IPv6 payload Windows traffic is taking 60.3 % of the total traffic Linux machines is taking 23.8 % 6to4 traffic from anycast addresses (TTL 255) is taking 3.8 % TTL 1 – 32 makes 12.2 % IPv4 Traffic Larger portion of Linux traffic TTL values of 32 and 255 are not as significant

Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 14 / 21

slide-15
SLIDE 15

HOP distribution

40 30 20 10 10 20 30 1 12 15 17 20 21 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 115 118 119 120 121 122 123 127 128 247 248 249 250 251 252 254 255

Flows (%) HOP Value T e r e d

  • b

u b b l e L i n u x + W i n d

  • w

s I P v 6 N D P IPv6 Tunnel Traffic Native IPv6 Traffic

Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 15 / 21

slide-16
SLIDE 16

HOP distribution

Native and Tunneled IPv6 Traffic HOP limit of 51 – 64 is most frequent. Tunneled traffic Values are distributed with much less entropy Limits 21, 64, 128 and 255 are the most frequent

Value 21 is used for Teredo bubbles by Windows Value 255 is used for IPv6 neighbor discovery messages

Traffic never traversed the IPv6 network ⇒ HOP limit untouched

Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 16 / 21

slide-17
SLIDE 17

Location of Tunnel Endpoints

5 10 15 20 25

U S A U S A R U S S W E

  • I

S R K O R C A N B R A R U S A U S N O R S W E G B R E S P A U S U K R B R A H U N F R A

Flows (%) Source Teredo Source 6to4 5 10 15 20 25

U S A R U S R U S U S A B R A S W E A U S U K R G B R F I N C A N I S R L T U B R A S W E S V N U K R N O R H U N I N D

Flows (%) Destination Teredo Destination 6to4

Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 17 / 21

slide-18
SLIDE 18

Historical Comparison

Historical Traffic We measured tunneled IPv6 traffic in 2010 CESNET links to SANET, PIONIER and NIX Comparison 2010 2013 flows bytes flows bytes Tunneled IPv6 1.5 % 0.66 % 1.5 % 1.28 % Native IPv6 0.1 % 0.21 % 3.4 % 4.42 % HTTP(s), DNS 1.0 %

  • 5.5 %
  • %

Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 18 / 21

slide-19
SLIDE 19

Part IV Conclusion

Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 19 / 21

slide-20
SLIDE 20

Conclusion

Summary Tool for investigating IPv6 tunneled traffic Teredo and 6to4 traffic behavior Understanding of encapsulated IPv6 traffic Future Work Security analysis of tunneled IPv6 traffic Detection methods development

Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 20 / 21

slide-21
SLIDE 21

Thank You For Your Attention!

  • P. Velan

petr.velan@cesnet.cz

  • M. Elich, T. Jirsík, P. Čeleda

{elich|jirsik|celeda}@mail.muni.cz

An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis

IPv6 Tunnel Monitoring Plugin

http://www.muni.cz/ics/920232/web/ipv6-tunnel-plugin

Petr Velan et al. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis 21 / 21