Node Alias 192.168 ll ptcl Resolution

Introduction Summary for 192.168 ll ptcl

A brief introduction to the IP 192.168 2.1 1 alias resolution problem and this article. What is alias resolution. Alias resolution, also known as IP alias resolution or node alias resolution is a process of resolving which interfaces belongs to a particular node in the topology graph of a computer network. Because alias resolution is not supported by any network protocol, like 192.168 ll ptcl, used methods are only heuristics. By far the most usual level at which computer network topologies are studied is OSI layer 3 level, usually referred as router level because of routers (devices operating at layer 3) being the devices that mostly interconnects networks. Hence if a router level topology is desired, the aim of the alias resolution process will be to find out which interfaces (usually observed by traceroute tool), represented by their IP addresses, belongs to a single particular router.

That is why this type of alias resolution is often referred as IP alias resolution. If studying computer networks at another level, it is desired to obtain a different view of the network topology. An example may be a geographical topology, where a node may represent a POP location of an ISP, or an ISP level topology, where a node may represent whole single ISP. Processes leading to such topologies may also be referred to as alias resolution techniques.

However, router level topology, being the most precise computer network topology we can get by measuring via standard network protocols, is the most often desired, most often studied and probably the most interesting topology. Therefore the IP alias resolution is exhaustively studied by various research groups, and therefore this article is also focused on IP 192.168 ll ptcl alias resolution. Why IP alias resolution is needed. When obtaining router level network topology, usually the traceroute tool is used for observing edges (interfaces or IP 192.168 2.1 1 addresses) and vertices (links) of the desired graph.

If the measurement infrastructure contains single vantage point from where the traceroute tool observes the network, theoretically no alias resolution is 1 1 Introduction needed. However, due to routing policies used in Internet, it is impossible to obtain reasonable network topology with this approach as shown by Teixeira. As soon as multiple vantage points are used1 to obtain the set of links and interfaces, it is not possible to infer the topology from obtained dataset without additional analyses.

This is due to the limitations of the traceroute tool and the protocol it is build on, as described later in this article. Among others, a critical step in analyzing the traceroute dataset is the IP alias resolution. Without it, the resulting topology will contain too many nodes and links, and will be of little or no use at all as shown by Gunes and Sarac in and, or by Willinger et. al. Why improved IP 1921688655 alias resolution techniques are needed. While it is more that 10 years since the first alias resolution methods where developed, still the most state of the art techniques of today have significant drawbacks.

In practice this leads to approaches that combines known methods, while original methods are being improved and even new are being developed in an effort to reach as accurate network topologies as possible. Yet no method or approach is reliable enough to provide a network topology that match the reality. While the accuracy of the alias resolution method is crucial, it is not the only property that is evaluated. There are others, like the amount of probes used if actively measuring, obtrusiveness of measurement or how much time it takes to provide reliable results. Therefore, the research in this area is still actual and dynamic.

The content of this article. First, an analysis of several key terms used and referred by the alias resolution methods is provided. Second, the basic methods and techniques are explained. Finally original contribution of this article is presented, its theoretical basis, practical implementation and evaluation. Or other techniques, like loose source routing, are used to simulate more vantage points 2At least in cases where the real underlying network topology was known when evaluating performance of described methods.

Discussed terms may not seem to be closely related to alias resolution but are crucial in understanding the limitations and shortcomings of various alias resolution techniques. 1.1 UDP and TCP probes Probing. Throughout this article, by a probe, a measurement packet will be understood. Its purpose is soliciting a request which will eventually provide desired information.

TCP probes. Probing in alias resolution methods is usually aimed to routers. Because routers are meant to work purely on Network Layer and TCP is a Transport Layer protocol, it is not possible to start and maintain a TCP192.168 ll ptcl connection with a router. Although most routers are able to do so (provides services running even on Application Layer), due to security reasons it is restricted for administration use only.

Therefore if sending TCP probe it is usually just TCP SYN packet, soliciting TCP RST packet in response (e.g. used by Bender et al. in), as hosts may be configured to send TCP RST packets if TCP communication is blocked by firewall. An TCP RST packet is a full TCP packet and it may contain valuable information. UDP probes. UDP packets are significantly smaller than TCP packets, thus UDP probes are used more often in measurement, unless hosts are not less responsive (or some TCP header field value is needed). Quite surprisingly, Bender et al. in a recent study claimed routers to be more responsive to TCP probes. Comparison of TCP, UDP and ICMP probe responsiveness is discussed in the last chapter of this article. 3 1 Key terms

ICMP, TTL and Pin 192.168 ll ptcl CMP

ICMP is an Layer 3 network protocol, widely used in Internet, defining control and error messages. It is commonly used by various tools to reveal some properties of computer networks, such as delays between end hosts or the topology of a network. Messages. ICMP messages, either requests or replies, are encapsulated in a single packet. The header of the ICMP packet has following structure: Types of ICMP 1921688655 messages are denoted by the Type field in the header of each ICMP packet. The Code field may denote further message type subdivision. Four important messages those will often be mentioned throughout the article are:

• Echo Request

• Echo Reply

• Destination Unreachable

• Time Exceeded Echo Request and Reply

These two messages are at the heart of the ping tool. According to RFC 1122 these messages should always be processed: Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies. However, due to frequent DoS attacks (e.g. Smurf attack) leveraging from this convention, echo messages are often blocked on the end hosts by their firewalls. This turned out to have unfortunate consequences for tracert tool on Windows family operating systems, because Echo Request message is sent on 4 Bits 1921688655 Type Code Checksum 192 ID Sequence Figure 1: ICMP header 1 Key terms the last hop.

Unix/Linux type operation systems uses UDP 1921688655 packet sent to 33434 or 33534 port for the last hop of their traceroute tool (soliciting Destination Port Unreachable message), therefore the lack of Echo messages support is not a serious concern. Fortunately, probably because of protocol’s crucial part in troubleshooting computer networks, important ICMP packets are usually not being ignored by routers (as opposed to end hosts). In experiments run by Burch in 2002, only 66% of 192.168 2.1 1 IP addresses where responsive to UDP packets, while 92% were responsive to ICMP Echo Requests. Destination Unreachable. This message type has many subtypes. Depending on the Code field of the header, the Destination Unreachable message bears various meanings:

• Destination Network Unreachable

• Destination Host Unreachable

• Destination Port Unreachable

• Destination Host Unknown

• etc. In some alias resolution techniques, the Destination Port Unreachable message is used

An example is a technique used by Pansiot and Grad referred as Source Address method in this article. The method exploits following behavior specified in RFC 1812: Except where this document specifies otherwise, the IP source address in an ICMP message originated by the router MUST be one of the IP 192.168 2.1 1 addresses associated with the physical interface over which the ICMP message is transmitted. This can not be achieved by Echo type messages, as in the ICMP protocol 192.168 ll ptcl specification there is explicitly stated that: The IP source address in an ICMP Echo Reply MUST be the same as the specific-destination address … of the corresponding ICMP Echo Request message. In fact, in experiments run by Barford et al. a suspicion was raised that not all routers conforms the rule for returning ICMP 1921688655 messages (i.e. the Destination 5 1 Key terms Port Unreachable message used the destination address as its source address, instead of the address of outgoing interface).


To prevent packets for eventually looping forever in network, each IP packet has an 8-bit TTL (Time To Live) field in the header. When creating original packet to send, this field is set to some value from interval (0,255>. As stated in RFC 1812: When a router forwards a packet, it MUST reduce the TTL by at least one. If it holds a packet for more than one second, it MAY decrement the TTL by one for each second. The second rule is introduced due to the fact that initially TTL was meant to be a second counter. However, nowadays a hop lasts for less than a second and TTL is considered to have pure hop count meaning and implementation.

Still, care have to be taken when relying on the assumption that each hop represents a single point-to-point 1921681124 link as some devices, due to this rule or due to misconfiguration or malfunction, are not handling TTL in the correct manner. The protocol does not specify the initial TTL values, it is left for the implementation of the network stacks of specific operating systems. Therefore initial TTL3 is considered useful for passive fingerprinting. It is also used to establish the hop distance of the remote host (this is used in some alias resolution methods).

Unfortunately there are only few values used as initial TTL (common are: 30, 32, 60, 64, 128, 150, 255), with most common, by factor of almost 4, being the 255. Time Exceeded message. As a router receives a packet, it checks, whether the router itself is the packet’s destination. If not, it decrements TTL. If TTL is 0 after decrementing, the packet is discarded and Time Exceeded message is generated and sent back to source. If TTL is not 0 packet is sent further to the network. Rate limit. Due to attacks mentioned above, some ICMP messages are ignored and some are rate limited. For example, a common restrictions are to 3 It can be inferred from the TTL value of the packets returned from remote host. 6 1 Key terms not reply to Address Mask Request message or to send only one Destination Unreachable message per second.


The purpose of the traceroute tool is to discover routers residing between source (host issuing traceroute) and destination (target of traceroute). It does so by sending UDP datagrams or Echo requests to the destination, while incrementing initial TTL from 1 continuously until the destination is reached. First message, having TTL set to 1, only reaches first router.

There it is discarded (as after decrementing the TTL will be 0) and Time Exceeded message is sent back to source. The traceroute tool at the source host then inspects source address in the Time Exceeded packet and presents it as the first hop (or router 192.168 ll ptcl ) on the way to destination. Then it sends second message, with initial TTL set to 2, obtaining the second hop and so on. In some implementations, the traceroute tool sends several probes in parallel to speed up the process. Traceroute’s drawbacks.

Although traceroute is widely used as a main topology discovery tool Mainly:

• Probes blocked by firewalls.

• Load balancing may cause incorrect traceroute output.

• Presence of anonymous routers in output.

• Sampling bias if used as topology discovery tool.

This led to a development of many versions of traceroute tool (LBL traceroute, tracert, Paris traceroute, tcptraceroute, Paratraceroute, etc.). Lakhina et. al, presented a paper showing the traceroute-based approach introduces a significant bias to the measurement. They argue that the Internet can not be modeled as a power-law random graph, although it may seem so from collected traceroutes. In such a graph, the degree distribution of nodes follows a distribution with a powerlaw tail.

One of the differences is the way in which the destination is contacted (or how the last hop in traceroute output is obtained). As stated, the last hop of traceroute is usually measured with sending UDP packets to some high numbered port (where no application is likely to listening) or Echo requests. In fact there are many more methods. For instance a TCP 192.168 2.1 1 packet can be sent to a port where applications tends to be running (like port 80).

This techniques are used no only to avoid firewalls, but also to support better reply-to-request packet matching. Avoiding load balancing. As for alias resolution traceroute is a prerequisite, not an integral part, details of various implementations of traceroute tools will not be covered in this article. Nevertheless the load balancing problem have to be emphasized, as it may introduce serious anomalies to measurement and so may cause errors in alias resolution methods if not taken into account. To match an UDP packet request with its reply, often the port number is used, because UDP 1921681124 is a connectionless protocol and so nowhere is stated that the source address of the reply will be the same as the destination address of the request (this happens often, as observed by Burch in. Each packet in traceroute is then sent with another port number.

This has a negative consequence, that the checksums of these packets, computed by router’s load balancer, will not be the same. Therefore the load balancer may sent packets belonging to the same traceroute by various links. When using traceroute output, it is usually assumed5 that the sequence of hops constitutes a true sequence of routers and links between them, or a real path the packet took to destination. This is only true if all packets of the traceroute were identically routed. As load balancer may not follow this expectation, some routers that are one hop from each other in the traceroute’s output may not actually be connected by single link in the real topology. 5 This is assumed in analytical (or graph based) alias resolution techniques.

Key terms Paris traceroute is a tool that avoids this by using other techniques for reply-to-request packet matching, leaving the checksummed part of the packet unchanged. Still, if a per packet load balancing is used this will not avoid erroneous traceroutes. Anonymous routers. Anonymous routers, referred as *.*.*.* in traceroute output, are a serious problem for topology inferring based on traceroute. Consider, that such 192.168 ll ptcl routers can not be probed (as they are unresponsive) and can not be distinguished among other anonymous routers in other traceroutes. Therefore if a topology graph is to be the result of the measurement, each instance of anonymous router have to be a separate verticle.

This may lead to a topology far from reality. Unfortunately, it is not easy to deal with this problem. In a paper by Yao, et al., a sophisticated technique is provided, while they show it is an NPcomplete problem. An easy 1921681124 but not reliable approach is to use bisimilarity, meaning that each anonymous router, that has the same predecessor and successor among all obtained traceroutes, is considered the same one and so is represented by a single verticle in the topology graph. The disadvantage is, that with this approach each anonymous router in the resulting topology will have exactly two neighbors. This may often be a false representation. However this approach may be sufficient. It was used by Bilir et al. during topology measurement.

If two consecutive unresponsive routers were observed, these were clustered and bisimilarity was used upon such a cluster. If more than two consecutive unresponsive routers were observed, the trace was discarded. Topology sampling algorithms. Last problem that should be mentioned is the algorithm used for issuing traceroutes when discovering network topology. At first it may seem to be sufficient to use the naïve algorithm and to start collecting traceroutes to chosen IP 192.168 2.1 1 addresses.

But first, IP addresses to trace have to be chosen. There are several ways:

• Addresses of web servers.

• Using algorithm for inferring IP addresses (e.g. starting from local network). 9 1 Key terms

• Using BGP feeds to obtain existing networks.

• Other. If a naïve algorithm will be used on a Internet scale, soon critical issues will arise:

• Sampling takes too long. No topology map that is obtained in more than a couple of days may be consistent, as Internet topology may change fast.

• Extensive sampling triggers IDS alarms in end networks.

• Many traces takes the same path (providing no new information).

Most of the traces goes through the same routers at first hops (may be evaluated as DoS attack). Considering this problems, building a solid sampling platform is a challenging task. Interesting algorithms have been developed to avoid these issues. For instance Tangmunarunk et. al developed a method called Informed Random Address Probing to guess addressable subnets (while developing the Mercator tool 1921681124 ). Donnet et. al introduced Doubletree algorithm, where: The key ideas are to exploit the treelike structure of routes to and from a single point in order to guide when to stop probing, and to probe each path by starting near its midpoint.

Also Zeitoun and Jamin shown an algorithm to rapidly discover responsive networks. Spring et. al  in their topology discovery tool Rocketfuel, use AS router clustering and BGP routing tables to direct probes in a way which exploits the assumed rule that a packet coming to an AS from network N1 with a next-hop-network being N2 will always take the same path through the AS. These algorithms can reduce the amount of needed traceroutes by orders of magnitude making the measurement unobtrusive and able to execute in one day. Of course, these techniques makes the sampling a non-trivial task in the topology discovery effort. 10 1 Key terms


Description. IPID is a 16-bit field in IP 192.168 2.1 1 packet header, originally referred to as Identification in RFC 791. It was introduced due to fragmentation of packets. If packet has to be fragmented, each fragment of the same packet has the same IPID value. This helps in reassembling the packets at the destination host. Why IPID is interesting in general. The design of TCP/IP stack lacks support for measurement of many crucial network characteristics, yet even the available support is being less and less provided due to security reasons (network characteristics, topology being one of them, are considered confidential and some properties of TCP/IP protocols are being exploited for malicious attacks). This even led to design of special measurement protocols, like IPMP or Hash-based IP traceback.

However until such protocols are widely supported, community has to operate with what is still available. As various other IP packet header fields and options came under the spotlight of the research community with intention to use them for measurement of network properties, recently many experiments show the usefulness of IPID field. Uses in measurement. It was used for: • Inferring the amount of internal (local) traffic generated by a server, the number of servers in a large-scale, load-balanced server complex and the difference between one-way delays of two machines to a target computer.


Implementation of 192.168 ll ptcl

There is nothing stated in RFC 791 about how the IPID distribution mechanism should be implemented. Therefore its implementation depends on decisions made in various operating systems. It may be simple incremental counter, either incrementing by 1 or by some constant. It may 11 1 Key terms also be a pseudo-random number, or it may even be a constant (at least initially set by OS). Usually there is a global counter, sometimes there is a separate counter for each interface or network stack running. Observed behavior. Usually, to exploit the IPID field, the mentioned techniques needs the IPID distribution mechanism to be implemented as a sequential counter. Therefore a throughout analysis have been done in various research works about how IPID is behaving in Internet.

Before looking at measuring results it is important to emphasize that as IPID is a 16-bit field, there are only 65536 possible values. Any measurement that tries to determine the rate at which an IPID counter increments has to deal with the fact that if measurement takes too long or the host increments counter too rapidly, the counter will eventually wrap. If counter was reseted during measurement, it will probably be incorrectly presented as pseudorandom counter. Analogically, if a counter is pseudo-random and successive probes coincidentally solicit responses with increasing IPID values, such a counter will incorrectly be presented as normal, or high-rate counter. Distribution of counter implementations.

While developing RadarGun alias resolution tool, Bender et al. observed following distribution of IPID implementation mechanisms among 9 056 hosts. Distribution of counter rates. The rate at which counter is incrementing depends on implemented mechanism (e.g. some Windows family operating systems increments by 256) and on actual host’s load (the more packet it sends the more times it increments the counter).

Unresponsive (less than 25% replies) 4 240 (46,8%) Linear 2 841 (31,4%) Non-linear 968 (10,7%) ICMP Destination Unreachable 698 (7,7%) IPID always 0 208 (2,3%) Reflects the IPID of probe 101 (1,1%) Figure 3: Results for hostname heuristics. 1 Key terms In measurements executed by Bender et al., no host incrementing the counter linearly was incrementing at higher rate than cca 900 per second. In results of measurements by Burch 1% of hosts were constantly sending IPID of value 0. After discarding these hosts, 79% of hosts were incrementing at a rate slower than a few per second and 96% change at slower than 100 per second.

Loose source routing and record route option

Description. An IP 192.168 2.1 1 packet header may contain a field named Options. Among others, there are following options:

• Loose Source and Record Route

• Strict Source and Record Route

• Record Route Loose Source and Record Route.

If this option is present, it is followed by a list of via-points. These are IP addresses of routers the packet have to visit. Initially, the packet is routed in a standard way, based on the Destination Address field of the header.

If the destination is reached, the first address from the via-points list is set as new Destination Address value. Current router address will be placed at the beginning of the via-points list, instead of the first via-point taken. This replacement ensures the packets has the same size as before. Finally, the pointer that points to the next via-point is incremented to point to the second address in the list. The packet is then routed as before, based on the Destination Address field of the header, until it arrives to that destination, and the process repeats. After the packet visits the last via-point in the list, the pointer will point to address outside the option field. Such packets are routed by the Destination Address field, meaning the last via-point actually have to be the desired destination.

This option is different from the previous in only one rule: the specified via-points represents the exact path the packet have to take, meaning the router always needs to have the next via-point as direct neighbor. Because of its strictness, using this option is only possible if exact knowledge of the network topology is available. Moreover, the limit of the overall IP 192.168 2.1 1 header size also limits the number of possible via-point to 9, thus this option can only be used for navigating the packet for 9 hops. Therefore this option is rarely used. Record Route.

This option enables the recording feature of the previous presented options for standard packets (without loose or strict routing). Each router the packet traverses inserts its own address into the list. The size of the list is initially set by the source of the packet and is initially empty. If some of the routers finds out that the list is full, it just forwards the packet as normally. A question may arise, which one of router’s addresses is inserted into the list. The option definition is stating that: The recorded route address is the internet module’s own internet address as known in the environment into which this datagram is being forwarded. This basically means that router should insert the address of the outgoing interface.



TOPlist TOPlist VIPLOG database valid