• HOME
  • About
  • Program Plan
  • Annual Report
  • Joining CAIDA
  • Staff
  • Jobs
  • Legal Agreements
  • How-To
• RESEARCH
  • Routing
  • Topology
  • DNS
  • Security
  • Traffic Analysis
  • Policy
  • Visualization
• DATA
  • Overview
  • Data Sharing
  • How-to
  • Data Usage FAQ
  • Papers using CAIDA Data
• TOOLS
  • Measurement
  • Taxonomy
  • Utilities
  • Visualization
• PUBLICATIONS
  • Papers
  • Presentations
  • Animations
  • Visualizations
  • Bibliography
  • Posters
• WORKSHOPS
  • ISMA
  • CAIDA-WIDE-CASFI
  • DANCES
  • External
  • Archive
• PROJECTS
  • Macroscopic Topology
  • PREDICT
  • Interconnection Economics
  • Named Data Networking
  • Day in the Life
  • IMDC
  • Ark
  • Network Telescope
  • Coralreef
  • IIC Wiki
  • COMMONS
  • IPNC
• FUNDING
  • iLENS
  • Cybersecurity
  • Routing
  • Named Data Networking
  • Economics
  • Telescope
  • IRNC-SP
  • DatCat
  • PREDICT
  • Program Plan

During the course of implementing the IP Prespecified Timestamp (TSPS) dealiasing technique described by Sherry in "Resolving IP Aliases with Prespecified Timestamps", we discovered many different router stamping behaviors which we investigated in an attempt to better understand the reasons why the technique works, and how we can have more confidence in it's results. We also evaluate the usefulness of this technique with respect to macroscopic IP dealiasing projects. This document outlines the results discovered; we plan to write a paper which describes this work more comprehensively.

Stamping Behaviors

The original authors list seven possible stamping behaviors: Unresponsive, Extra Stamp, Zero Stamp, One Stamp, Two Stamps, Three Stamps, and Four Stamps. Of these, they only provide a justification for the Extra Stamp behavior. After careful probing and utilizing groundtruth data, we can, with some confidence, comprehensively describe the causes for almost all of the stamping behaviors we observe.

We make a distinction between the observed stamping behavior and the underlying behavior. Our investigations have confirmed three common underlying stamping patterns which manifest as eight observed stamping behaviors depending on their combination with other factors. We also have some evidence of other underlying stamping behaviors, but do not have groundtruth data to support our claims.

Confirmed Underlying Stamping Behaviors

• Four Stamp - Greedy
  
  The prespecified timestamp dealiasing algorithm works best, that is, has the most confidence, when the address are those which stamp four times, for any interface that is on the router. We determine that this behavior is not the common case, and is in fact likely a characteristic of Juniper routers.
• Two Stamp - Destination/Egress
  
  Sherry states that two stamp is the most common stamping behavior (22.2% of their sample), but makes no explanations for the cause of this. Our investigations allow us to confirm two different types of two stamp routers. The first is Destination/Egress. That is, one stamp is provided for the destination address, and the second is for the egress interface. We observe this behavior on Cisco 12000 series routers.
• Two Stamp - Ingress/Egress
  
  The second type of underlying two stamp behavior we identify is Ingress/Egress. This is where the router stamps once for the ingress interface, and once for the egress interface (in that order). We observe this behavior on Cisco 6000 series routers.

Suspected Underlying Stamping Behaviors

• Four Stamp - Lazy
  
  In addition to the three above behaviors that we are able to confirm using ground-truth data, we also see anecdotal evidence for another type of four stamp behavior which is a router which stamps four times for some interfaces, but not for others. The extreme of this is where a router will stamp four times only for a single interface (we have no indication whether this is the destination, ingress or egress). We do have some inferred evidence that there are also routers which stamp four times for a subset of interfaces, but not at all for others (this behavior is not always commutative either).

Observed Stamping Behaviors

• Unresponsive
  
  A target which does not respond to TSPS probing can be caused by two things - either it does not respond to probing at all, or it does not respond to probing with the timestamp option. Our experiments made use of targets which have previously been responsive to probing, so the likely cause of non-responses is due to configurations where the router drops packets with timestamp options, or the network has changed such that the target is no longer reachable. In testing, we find that roughly 4% of targets which respond to regular ICMP probes, do not respond to ICMP probes with the timestamp option. This fraction does vary between vantage points due to filtering which is described in the "Vantage Points" section below.
• Inconsistent
  
  Inconsistent stampers are addresses which exhibit different stamping behaviors across probes. This phenomenon is ignored by Sherry. Our investigation indicates that inconsistent stamping is caused by a combination of load balancing (which always manifests as per-packet when packets contain IP options) and one of the Two Stamp underlying behaviors. For example, if a router has two egress interfaces, A and B, and stamps following the Destination/Egress pattern described above, a probe (A|AAAA) will elicit two stamps when A is used as the egress interface, but only one stamp when it is not. If the router exhibits the Ingress/Egress stamping behavior, then it is possible to see either zero (A is neither the ingress nor the egress), one (A is either the ingress or the egress interface), or two (A is both the ingress and the egress interface) stamps.
• Extra Stamp
  
  The Extra Stamp behavior is the only observed behavior that Sherry gives reasoning for the underlying cause. They note (in "Applications of the IP Timestamp Option to Internet Measurement") that this behavior is observed on all Linux hosts that they tested. Our investigation of this bug leads us to believe that it has been fixed in the Linux kernel since March 27, 2011. See this kernel netdev message for more information about the patch.
• Zero Stamps
  
  The observed Zero Stamp behavior can actually be caused by one of three things: routers stripping IP options; the target ignoring IP options; Two Stamp Ingress/Egress stamping where neither of the ingress or egress are specified.
  • It is possible for IP options to be stripped from a probe at any hop along the forward or reverse path to a target. Our investigations indicate that in practice, this is only observed at the target. That is, when the target forms the ICMP Echo Reply packet, it neglects (we do not know whether this is intentional or not) to copy the IP options portion of the header. This does not follow the RFC for ICMP Echo Reply handling by routers which states that "Data received in an ICMP Echo Request MUST be entirely included in the resulting Echo Reply." (RFC 1812).
  • Probably the most common cause of the observed zero stamp behavior is routers which simply do not stamp packets. According to Cisco documentation, this is a configuration option, "ip option ignore", to the "IP Options Selective Drop" feature on selected Cisco routers. See the ACL IP Options Selective Drop documentation for further information.
• One Stamp
  
  The one stamp behavior is caused by one of two underlying behaviors. The first is a router which fits into one of the Two Stamp underlying behaviors, but the egress interface does not match the 'second' address in the prespecified list. That is, the first address is stamped for because it is either the destination (for the Destination/Egress behavior), or it is the ingress, but then the second address is not stamped because it does not match the address of the egress interface for the reply packet. The second possibility is that there are routers which simply do just stamp once. They check that the next address in the list meets some criteria (e.g. the address belongs to an interface on the router), and then stamps for it, but does not check any further. While we can imagine this situation, we do not have any groundtruth data to support the hypothesis and as such can neither prove, nor disprove it.
• Two Stamp
  
  The observed Two Stamp behavior is one of the results from which aliases can possibly be declared. Unfortunately, our investigations suggest that this behavior is entirely subject to the path that the probe packets take out of the router. The only possible way to get two stamps back for a (A|ABAB) probe is for B to be the address of the egress interface. If the router exhibits the Ingress/Egress behavior, A must be the ingress interface also. Because of this, it follows that using a distributed set of vantage points to probe targets may allow more candidate pairs to be dealiased than when using a single vantage point. This is because multiple vantage points are likely to take different paths across the router, and as such, the chances of correctly specifying the egress interface as the second address in the probe are increased. We also suggest that using an intelligent probing coordinator may allow the vantage point to be selected based on inferences about the egress interface that is used. For example, if (A|AAAA) probes are sent from all vantage points, the vantage points which reply with two stamps likely use A as the egress interface. If they are also Destination/Egress stampers, we are more likely to be able to probe from them, coupling A with other candidates in (x|xAxA) probes.
• Three Stamp
  
  We have not been able to discover the cause for the Three Stamp behavior. It is only observed in 0.01% of interfaces, and of those that were discovered, appears to be concentrated in routers which are owned by BIT, a Dutch ISP. This seems to indicate that it is perhaps a behavior specific to some small hardware manufacturer. One hypothesis is that it stamps for Ingress, Destination and Egress.
• Four Stamp
  
  Candidate pairs which stamp four times are the most reliable for determining aliases. Our investigations have shown that this behavior is most commonly observed on Juniper routers. In cases, four stamp routers will stamp for other interfaces on the router. That is, unlike the two stamp behaviors, the interfaces which the probe arrives and departs over do not affect the results of stamping. That said, there are some routers which only stamp for a subset of all interfaces. We are unsure as to what causes this, but our suspicion is that they may have per-interface configurations preventing a full-mesh of stamping. Another possibility is that due to the distributed nature of some of the high-end routers, knowledge of the full interface set is not shared across all processors.

Probe Methods

In addition to investigating the underlying causes of stamping behaviors, we also tested different probing methods to establish whether the coverage of the technique could be boosted by combining methods. We found that there are a small number of targets which are unresponsive to ICMP probes with the Prespecified Timestamp option but do respond to UDP probes.

In our experiments, we see an average of 8.34% of unresponsive destinations which respond to UDP probes, but not to ICMP. This implies that for the set of interfaces which do not respond to ICMP timestamp probes, we could potentially make use of approximately 8% of them by sending UDP probes. Unfortunately this means sending every single ICMP unresponsive address a UDP probe to determine whether it will respond.

In our large-scale ICMP experiments, we saw around 48.98% of targets not respond to ICMP timestamp probes. Accordingly, we could perhaps expect to see an overall gain of approximately 4.1% of interfaces by utilizing UDP probing. As mentioned earlier, this however requires probing every one of the unresponsive targets with a UDP probe to determine eligibility. In this example, this would require at least an extra 1,015,639 probes (assuming we only send one per non-responsive target). According to our models, these extra 1 million probes would allow at most an extra 85,000 targets to be used for dealiasing. These 85,000 targets must now be tested to ensure compatibility with the dealiasing algorithm. If we assume that roughly the same fraction of UDP responsive targets are suitable as ICMP targets, then we can expect that somewhere around 30,000 targets end up being suitable. This is not considering the pairing - i.e. whether the other interface in the pair will be suitable also.

We suggest that the small number of targets recovered does not justify the large number of extra probes that must be sent. There are indeed cases where probing with UDP is beneficial, therefore if the technique is being used in an ad-hoc manner to dealias a single target, it is certainly worth trying UDP probes if ICMP fails.

Vantage Points

Sherry's original description of the technique makes mention of using multiple vantage points for the purpose of overcoming filtering of IP options in the path to targets. While we agree that using multiple vantage points is advantageous to dealising, our experiments suggest that there is little filtering in paths to targets, filtering mostly happens at the edges. Multiple vantage points are instead useful for covering different ingress and egress interfaces for routers which only stamp twice (see the "Underlying Two Stamp" section above).

We tested a sample of 25,000 targets from three geographically distributed vantage points (USA, Germany and China) and found that only a small number of targets (~5%) which were unresponsive from one vantage point are responsive from another.

Multiple vantage points are however very beneficial when it comes to mitigating the effect that Two Stamp Ingress/Egress and Destination/Egress routers have on the results. As explained in the earlier section about underlying stamping behaviors, if a two stamp router is probed from multiple vantage points, the chances of encountering the correct combination of ingress and egress interfaces for the pair being dealiased is increased. A potential indicator of the gains to be had is the difference between the number of two stamp interfaces that we see when probing from a single vantage point, and the number that Sherry saw when probing from multiple vantage points. In our probing, we see 5.72% of interfaces responding with two stamps, whereas Sherry sees 22.2% - a 16.48% gain.

As we mentioned earlier this gain could be optimized by attempting to infer ingress and egress interfaces of routers by analyzing the results of probing targets with (A|AAAA). These interfaces could be used to intelligently pair interfaces and assign them to a vantage point for dealiasing.

Evaluation

Overall we have found that the prespecified timestamp dealiasing technique has limited real-world applicability. We find that it falls short in three major areas: it requires explicit candidate pairs; it cannot declare a pair as non-aliases; it relies on a specific, non-standard implementation of the timestamp option.

While the technique is potentially useful for tactical dealiasing tasks, it's requirement that candidate pairs be explicitly provided makes it impractical for large-scale application. For example, CAIDA uses over 2.3 million addresses as input for their MIDAR dealiasing process (see MIDAR tools page for more information). To naively use the prespecified timestamp technique on this set would require testing well over five trillion (N²) pairs. As a rough average, the timestamp technique requires approximately 30 probes to resolve any given pair, giving a total number of probes in the order of 150 trillion. There are heuristics that can be used to reduce the number of pairs, but they still leave a leave a large number of pairs and introduce the possibility of discarding true aliases. We are currently in the process of investigating the viability of using TTL clustering as suggested by Sherry in the original paper.

In addition to requiring explicit candidate pairs, the technique is unable to reliably provide a non-alias declaration for any given candidate pair. That is, the only reliable determinations it can provide are 'alias' and 'unknown'. While we have extended the algorithm to enable it to provide a non-alias declaration, it is for a very specific edge case. See the "Reverse Path Check" section of the Motu readme for more details.

For the technique to successfully resolve a pair of addresses as aliases, the router must stamp either two, or four, times. As we have shown, two stamp routers stamp only for a specific pair of addresses, and so are only useful if the dealiasing candidates happen to exactly line up with the path we take out of the router (or in and out in the Ingress/Egress case). The other useful stamping behavior, four stampers, is, as we have shown, almost entirely seen on Juniper routers. While Juniper is a popular router vendor, it accounts for less than one third of the core routers in the Internet. The dominant vendor, Cisco, appears to be the cause of the rather unreliable two-stamp behavior.

In addition to the largest vendor's routers only being useful if the path takes specific interfaces, there is also a general recommendation that router operators should disable IP option support altogether. Cisco released a security advisory in 2009 which related to a vulnerability in their router's handling of packets with IP options. Cisco's advice for a workaround was for operators to drop any packets which contained options. Other router operators have also written about the security issues presented by packets with IP options and recommend that they be dropped. These issues cast doubt on the usefulness of the technique in the real-world, both in the present, and into the future as more operators drop packets with options.

That said however, the technique is useful as a 'tool in the dealiasing toolbox'. That is, if a researcher has a specific pair (or set of pairs) of interfaces they believe to be aliases, the technique can potentially provide some confirmation of this when coupled with other techniques. It is also possible that timestamp dealiasing may work where other methods have failed.